leftshot

Well, Malwarebytes Anti-Rootkit found no threats the first time through and all functions seem to be working (your checklist above). Just in case, here are the logs. Once again, thank you so much for your assistance. Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.05.31.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 davek :: WS-EP1 [administrator] 5/31/2013 4:32:49 PM mbar-log-2013-05-31 (16-32-49).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 312368 Time elapsed: 24 minute(s), 17 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 2.793000 GHz Memory total: 526462976, free: 224141312 Downloaded database version: v2013.05.31.08 Downloaded database version: v2013.05.22.01 Initializing... ------------ Kernel report ------------ 05/31/2013 15:58:03 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys pciide.sys \WINDOWS\system32\DRIVERS\PCIIDEX.SYS intelide.sys MountMgr.sys ftdisk.sys dmload.sys dmio.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys DRVMCDB.SYS PxHelp20.sys KSecDD.sys Ntfs.sys NDIS.sys SmartDefragDriver.sys Mup.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\klfltdev.sys \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\e100b325.sys \SystemRoot\system32\DRIVERS\fdc.sys \SystemRoot\system32\DRIVERS\imapi.sys \SystemRoot\System32\Drivers\DLACDBHM.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\redbook.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\klim5.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\sthda.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\flpydisk.sys \SystemRoot\System32\Drivers\i2omgmt.SYS \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\klif.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\Drivers\DLARTL_N.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \??\C:\WINDOWS\system32\drivers\kl1.sys \SystemRoot\system32\DRIVERS\usbscan.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\usbprint.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\system32\DRIVERS\ipnat.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ialmdnt5.dll \SystemRoot\System32\ialmrnt5.dll \SystemRoot\System32\ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\System32\Drivers\DRVNDDM.SYS \SystemRoot\System32\DLA\DLADResN.SYS \SystemRoot\System32\DLA\DLAIFS_M.SYS \SystemRoot\System32\DLA\DLAOPIOM.SYS \SystemRoot\System32\DLA\DLAPoolM.SYS \SystemRoot\System32\DLA\DLABOIOM.SYS \SystemRoot\System32\DLA\DLAUDFAM.SYS \SystemRoot\System32\DLA\DLAUDF_M.SYS \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\System32\Drivers\ASCTRM.SYS \SystemRoot\system32\DRIVERS\dsunidrv.sys \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\System32\Drivers\Fastfat.SYS \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\System32\Drivers\HTTP.sys \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk2\DR7 Upper Device Object: 0xffffffff81b4dab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000068\ Lower Device Object: 0xffffffff81b51a70 Lower Device Driver Name: \Driver\USBSTOR\ <<<1>>> Upper Device Name: \Device\Harddisk1\DR5 Upper Device Object: 0xffffffff81bd1030 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000064\ Lower Device Object: 0xffffffff81ec38e0 Lower Device Driver Name: \Driver\USBSTOR\ <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff82363280 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\ Lower Device Object: 0xffffffff82365030 Lower Device Driver Name: \Driver\atapi\ <<<2>>> Device number: 0, partition: 2 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff82363280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff823d0020, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff82363280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff82365030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> Device number: 0, partition: 2 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\system32\drivers... <<<2>>> Device number: 0, partition: 2 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 41AB2316 Partition information: Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 64197 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 64260 Numsec = 110543265 Partition file system is NTFS Partition is bootable Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 110607525 Numsec = 38813040 Partition 3 type is Other (0xdb) Partition is NOT ACTIVE. Partition starts at LBA: 149420565 Numsec = 6827625 Disk Size: 80000000000 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)... Done! Physical Sector Size: 0 Drive: 1, DevicePointer: 0xffffffff81bd1030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff81cd8678, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff81bd1030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff81ec53f0, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\ DevicePointer: 0xffffffff81ec38e0, DeviceName: \Device\00000064\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Physical Sector Size: 512 Drive: 2, DevicePointer: 0xffffffff81b4dab8, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff81b4d890, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff81b4dab8, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8208f7d8, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\ DevicePointer: 0xffffffff81b51a70, DeviceName: \Device\00000068\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 2 Scanning MBR on drive 2... Inspecting partition table: MBR Signature: 55AA Disk Signature: C09EDD8C Partition information: Partition 0 type is Other (0xb) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 3903795 Partition file system is FAT32 Partition is not bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 2004877312 bytes Sector size: 512 bytes Done! --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 2.793000 GHz Memory total: 526462976, free: 227880960 --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 2.793000 GHz Memory total: 526462976, free: 227983360 Initializing... ------------ Kernel report ------------ 05/31/2013 16:32:32 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys pciide.sys \WINDOWS\system32\DRIVERS\PCIIDEX.SYS intelide.sys MountMgr.sys ftdisk.sys dmload.sys dmio.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys DRVMCDB.SYS PxHelp20.sys KSecDD.sys Ntfs.sys NDIS.sys SmartDefragDriver.sys Mup.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\klfltdev.sys \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\e100b325.sys \SystemRoot\system32\DRIVERS\fdc.sys \SystemRoot\system32\DRIVERS\imapi.sys \SystemRoot\System32\Drivers\DLACDBHM.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\redbook.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\klim5.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\sthda.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\flpydisk.sys \SystemRoot\System32\Drivers\i2omgmt.SYS \SystemRoot\system32\DRIVERS\klif.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\Drivers\DLARTL_N.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \??\C:\WINDOWS\system32\drivers\kl1.sys \SystemRoot\system32\DRIVERS\usbscan.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\usbprint.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\system32\DRIVERS\ipnat.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\Fastfat.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ialmdnt5.dll \SystemRoot\System32\ialmrnt5.dll \SystemRoot\System32\ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\System32\Drivers\DRVNDDM.SYS \SystemRoot\System32\DLA\DLADResN.SYS \SystemRoot\System32\DLA\DLAIFS_M.SYS \SystemRoot\System32\DLA\DLAOPIOM.SYS \SystemRoot\System32\DLA\DLAPoolM.SYS \SystemRoot\System32\DLA\DLABOIOM.SYS \SystemRoot\System32\DLA\DLAUDFAM.SYS \SystemRoot\System32\DLA\DLAUDF_M.SYS \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\System32\Drivers\ASCTRM.SYS \SystemRoot\system32\DRIVERS\dsunidrv.sys \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\System32\Drivers\HTTP.sys \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk2\DR6 Upper Device Object: 0xffffffff81bd7860 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000067\ Lower Device Object: 0xffffffff81ebcd08 Lower Device Driver Name: \Driver\USBSTOR\ <<<1>>> Upper Device Name: \Device\Harddisk1\DR5 Upper Device Object: 0xffffffff81bd7030 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000065\ Lower Device Object: 0xffffffff81ec1d08 Lower Device Driver Name: \Driver\USBSTOR\ <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff82374280 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\ Lower Device Object: 0xffffffff823ce030 Lower Device Driver Name: \Driver\atapi\ <<<2>>> Device number: 0, partition: 2 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff82374280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8235a020, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff82374280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff823ce030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> Device number: 0, partition: 2 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\system32\drivers... <<<2>>> Device number: 0, partition: 2 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 41AB2316 Partition information: Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 64197 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 64260 Numsec = 110543265 Partition file system is NTFS Partition is bootable Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 110607525 Numsec = 38813040 Partition 3 type is Other (0xdb) Partition is NOT ACTIVE. Partition starts at LBA: 149420565 Numsec = 6827625 Disk Size: 80000000000 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)... Done! Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffffff81bd7030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff81c2a3f0, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff81bd7030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff81ec2680, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\ DevicePointer: 0xffffffff81ec1d08, DeviceName: \Device\00000065\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: C09EDD8C Partition information: Partition 0 type is Other (0xb) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 3903795 Partition file system is FAT32 Partition is not bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 2004877312 bytes Sector size: 512 bytes Done! Physical Sector Size: 0 Drive: 2, DevicePointer: 0xffffffff81bd7860, DeviceName: \Device\Harddisk2\DR6\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff81cf2e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff81bd7860, DeviceName: \Device\Harddisk2\DR6\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff81ebbc40, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\ DevicePointer: 0xffffffff81ebcd08, DeviceName: \Device\00000067\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Scan finished ======================================= Removal queue found; removal started Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_64260_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_1_0_63_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam... Removal finished

Quick Question: Rogue Killer seems to be staying on "Searching for CLSID..." for a long time (5-10 minutes so far). Is that normal or have we gotten hung? I've restarted it once and am getting the same behavior.

Okay, I ran the fixlist and have the log posted below. I also logged into the infected user account and the bogus FBI screen no longer comes up, nor does the bogus missing dll window that was part of the malware. Is there any other clean up I need to do? Also, can you tell what this was attached to that caused the infection? The user claims they haven't installed anything lately and I don't want this to spread. I want to thank you for your help. I know you volunteer your time and am very appreciative of your efforts. I do the same in my realm, so I know how this can be both rewarding and at times thankless work. I want you to know your efforts are appreciated. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-05-2013 Ran by administrator at 2013-05-31 09:49:41 Run:1 Running from C:\Documents and Settings\administrator.CCCM\Desktop Boot Mode: Normal ============================================== HKEY_USERS\davek.CCCM\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe => Value deleted successfully. HKEY_USERS\davek.CCCM\Software\Microsoft\Windows\CurrentVersion\Run\\Svc2dll => Value deleted successfully. C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple\Adobe\njxyuv.dll => File/Directory not found. C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.exe => File/Directory not found. C:\Documents and Settings\davek.CCCM\acrobat.exe => Moved successfully. C:\Documents and Settings\davek.CCCM\icq.exe => Moved successfully. C:\Documents and Settings\davek.CCCM\opera.exe => Moved successfully. C:\Documents and Settings\davek.CCCM\skype.exe => Moved successfully. ==== End of Fixlog ====

Okay, here is the FRST.txt with Addition.txt attached. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-05-2013 Ran by administrator (administrator) on 31-05-2013 08:59:30 Running from C:\Documents and Settings\administrator.CCCM\Desktop Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe (SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe (IObit) C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (ABBYY) C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe (Spigot, Inc.) C:\Program Files\Application Updater\ApplicationUpdater.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe (Computer Associates) C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Microsoft Corporation) C:\WINDOWS\system32\fxssvc.exe (SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe (SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\Event Manager\EEventManager.exe (Musicmatch, Inc.) C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Spigot, Inc.) C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe (IObit) C:\Program Files\IObit\Advanced SystemCare 6\DelayLoad.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" [99840 2003-05-27] (SEIKO EPSON CORPORATION) HKLM\...\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION) HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [98304 2006-03-30] (Apple Computer, Inc.) HKLM\...\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [110592 2006-09-18] (Musicmatch, Inc.) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [144784 2008-06-10] (Sun Microsystems, Inc.) HKLM\...\Run: [] [x] HKLM\...\Run: [searchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [1298240 2013-05-15] (Spigot, Inc.) HKLM\...\Winlogon: [system] Winlogon\Notify\klogon: C:\WINDOWS\system32\klogon.dll (Kaspersky Lab) Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation) HKCU\...\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart [x] HKCU\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [491840 2013-04-18] (IObit) HKU\Administrator\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.) HKU\administrator.FPCM\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.) HKU\davek\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe [x] HKU\davek\...\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL,LES [x] HKU\davek\...\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU" [ 2003-05-27] (SEIKO EPSON CORPORATION) HKU\davek\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.) HKU\davek.CCCM\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x] HKU\davek.CCCM\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.) HKU\davek.CCCM\...\Run: [EPLTarget\P0000000000000000] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE /EPT "EPLTarget\P0000000000000000" /M "WorkForce 545" [ 2011-04-24] (SEIKO EPSON CORPORATION) HKU\davek.CCCM\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [ 2013-04-18] (IObit) HKU\davek.CCCM\...\Run: [Adobe] rundll32 "C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple\Adobe\njxyuv.dll",DllRegisterServer [x] HKU\davek.CCCM\...\Run: [svc2dll] C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.exe [x] HKU\davek.CCCM\...\Run: [] C:\Documents and Settings\davek.CCCM\opera.exe [ 2013-05-30] (FileZilla Project) HKU\davek.CCCM\...\Policies\system: [NoDispCpl] 0 HKU\davek.CCCM\...\Policies\system: [NoDispAppearancePage] 0 HKU\davek.CCCM\...\Policies\system: [NoDispBackgroundPage] 0 HKU\davek.CCCM\...\Policies\system: [NoDispSettingsPage] 0 HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.) HKU\Sue McKinney\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.) SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation) BootExecute: autocheck autochk * bootdelete ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...-inc&channel=us HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...-inc&channel=us HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us URLSearchHook: IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.) URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...referrer:source?} HKCU SearchScopes: DefaultScope {FBBE751C-C2E8-49E1-AC6D-B232168155DE} URL = http://search.yahoo....&p={searchTerms} SearchScopes: HKCU - {FBBE751C-C2E8-49E1-AC6D-B232168155DE} URL = http://search.yahoo....&p={searchTerms} BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) BHO: IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.) BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions) BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Search.com Bar - {80987362-6216-49bc-98e4-77e6cf71a5d7} - C:\Program Files\searchcom_001\searchcom_001X.dll () BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.) BHO: No Name - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~1\IObit\ADVANC~3\BROWER~1\ASCPLU~1.DLL (IObit) BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.) BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) BHO: NetAssistant - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) Toolbar: HKLM - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.) Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) Toolbar: HKLM - Search.com Bar - {80987362-6216-49bc-98e4-77e6cf71a5d7} - C:\Program Files\searchcom_001\searchcom_001X.dll () Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKLM - IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.) Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKCU -No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File PDF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.q....588/qboax9.cab PDF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab PDF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.micr...loadManager.cab PDF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab PDF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab PDF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [245248] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 10.32.40.2 ========================== Services (Whitelisted) ================= R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY) R2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit) R2 Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [806776 2013-05-15] (Spigot, Inc.) S3 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [311680 2010-03-12] (Kaspersky Lab) S3 CA_LIC_CLNT; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [77824 2002-09-20] (Computer Associates) S3 CA_LIC_SRVR; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [77824 2002-09-20] (Computer Associates) S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [76848 2007-03-07] () R2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [521600 2011-06-09] (SEIKO EPSON CORPORATION) R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-05-30] (SurfRight B.V.) R2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-07-20] (IObit) R2 LogWatch; C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [53248 2002-09-20] (Computer Associates) S4 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2008-05-20] (McAfee, Inc.) S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [147456 2004-11-19] (Intel® Corporation) S4 HidServ; %SystemRoot%\System32\hidserv.dll [x] R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x] ==================== Drivers (Whitelisted) ==================== R2 ASCTRM; C:\Windows\System32\Drivers\ASCTRM.sys [8552 2006-03-30] (Windows ® 2000 DDK provider) R2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions) R1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions) R2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions) R2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions) R2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions) R2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions) R1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions) R2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions) R2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions) R2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions) S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.) R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider) R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302812 2005-10-14] (Intel Corporation) R1 kl1; C:\WINDOWS\system32\drivers\kl1.sys [126480 2009-11-12] (Kaspersky Lab) R3 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [24848 2009-09-03] (Kaspersky Lab) R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [231512 2012-04-26] (Kaspersky Lab) R3 klim5; C:\Windows\System32\DRIVERS\klim5.sys [32272 2009-09-14] (Kaspersky Lab) R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [14776 2010-11-26] () R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1047816 2005-11-16] (SigmaTel, Inc.) S4 Abiosdsk; No ImagePath S4 Atdisk; No ImagePath S1 Changer; No ImagePath S0 hbhe; System32\drivers\qcjxbqy.sys [x] S1 lbrtfdc; No ImagePath S1 mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [x] S1 PCIDump; No ImagePath S3 PDCOMP; No ImagePath S3 PDFRAME; No ImagePath S3 PDRELI; No ImagePath S3 PDRFRAME; No ImagePath S4 Simbad; No ImagePath S3 wanatw; system32\DRIVERS\wanatw4.sys [x] S3 WDICA; No ImagePath U1 WS2IFSL; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-05-31 08:59 - 2013-05-31 08:59 - 00000000 ____D C:\FRST 2013-05-31 08:59 - 2013-05-31 08:55 - 01355557 ____A (Farbar) C:\Documents and Settings\administrator.CCCM\Desktop\FRST.exe 2013-05-30 16:46 - 2013-05-30 16:46 - 00002169 ____A C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.txt 2013-05-30 16:44 - 2013-05-30 16:44 - 00047632 ____A C:\Documents and Settings\administrator.CCCM\Desktop\Extras.Txt 2013-05-30 16:43 - 2013-05-30 16:43 - 00057268 ____A C:\Documents and Settings\administrator.CCCM\Desktop\OTL.Txt 2013-05-30 16:31 - 2013-05-30 16:30 - 04745728 ____A (AVAST Software) C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.exe 2013-05-30 16:31 - 2013-05-30 16:26 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\administrator.CCCM\Desktop\OTL.exe 2013-05-30 15:53 - 2013-05-30 15:54 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Search Settings 2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\IObit Apps Toolbar 2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\Application Updater 2013-05-30 15:51 - 2013-05-30 15:51 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk 2013-05-30 15:38 - 2013-05-30 15:51 - 00000000 ____D C:\Program Files\HitmanPro 2013-05-30 15:12 - 2013-05-30 15:12 - 00069688 ____A C:\Documents and Settings\administrator.CCCM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2013-05-30 14:27 - 2013-05-30 14:26 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll 2013-05-30 14:27 - 2013-05-30 14:25 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll 2013-05-30 14:27 - 2013-05-30 14:25 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe 2013-05-30 14:27 - 2013-05-30 14:25 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe 2013-05-30 14:27 - 2013-05-30 14:25 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe 2013-05-30 14:24 - 2013-05-30 14:24 - 34500608 ____A C:\Windows\System32\config\SOFTWARE.iobit 2013-05-30 14:24 - 2013-05-30 14:24 - 00299008 ____A C:\Windows\System32\config\DEFAULT.iobit 2013-05-30 14:24 - 2013-05-30 14:24 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit 2013-05-30 14:24 - 2013-05-30 14:24 - 00028672 ____A C:\Windows\System32\config\SAM.iobit 2013-05-30 14:03 - 2013-05-30 14:03 - 00015466 ____A C:\Windows\System32\.crusader 2013-05-30 13:39 - 2013-05-31 08:56 - 00000438 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{A0D0BD7C-CFB5-4954-AEA7-0E0131112830}.job 2013-05-30 13:39 - 2013-05-30 13:39 - 00000000 __SHD C:\Documents and Settings\administrator.CCCM\IECompatCache 2013-05-30 13:19 - 2013-05-30 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro 2013-05-30 11:16 - 2013-05-30 11:16 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Malwarebytes 2013-05-30 09:39 - 2013-05-30 09:39 - 00096256 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\acrobat.exe 2013-05-30 09:39 - 2013-05-30 09:39 - 00000000 ____A C:\Documents and Settings\davek.CCCM\skype.exe 2013-05-30 09:34 - 2013-05-30 09:34 - 00122368 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\opera.exe 2013-05-30 09:34 - 2013-05-30 09:34 - 00000000 ____A C:\Documents and Settings\davek.CCCM\icq.exe 2013-05-22 11:26 - 2013-05-30 09:16 - 00000154 ____A C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.dat 2013-05-20 12:31 - 2013-05-30 14:02 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\wabEventSupport16 2013-05-20 11:53 - 2013-05-30 14:15 - 00054156 ___AH C:\Windows\QTFont.qfn 2013-05-20 11:53 - 2013-05-20 11:53 - 00001409 ____A C:\Windows\QTFont.for 2013-05-17 12:59 - 2013-05-17 12:59 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Folder Manager ==================== One Month Modified Files and Folders ======== 2013-05-31 08:59 - 2013-05-31 08:59 - 00000000 ____D C:\FRST 2013-05-31 08:58 - 2013-01-10 10:12 - 00081809 ____A C:\Windows\setupapi.log 2013-05-31 08:57 - 2013-03-12 13:09 - 00000284 ____A C:\Windows\Tasks\ASC6_PerformanceMonitor.job 2013-05-31 08:57 - 2011-09-01 18:04 - 00000296 ____A C:\Windows\Tasks\SmartDefrag_Startup.job 2013-05-31 08:57 - 2010-02-04 15:13 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-05-31 08:57 - 2007-08-06 11:52 - 00000062 __ASH C:\Documents and Settings\administrator.CCCM\Local Settings\desktop.ini 2013-05-31 08:57 - 2004-08-11 16:00 - 00002206 ____A C:\Windows\System32\wpa.dbl 2013-05-31 08:56 - 2013-05-30 13:39 - 00000438 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{A0D0BD7C-CFB5-4954-AEA7-0E0131112830}.job 2013-05-31 08:56 - 2004-08-11 16:20 - 00032632 ____A C:\Windows\SchedLgU.Txt 2013-05-31 08:55 - 2013-05-31 08:59 - 01355557 ____A (Farbar) C:\Documents and Settings\administrator.CCCM\Desktop\FRST.exe 2013-05-31 08:54 - 2004-08-11 16:13 - 01479980 ____A C:\Windows\WindowsUpdate.log 2013-05-31 08:53 - 2007-08-06 11:50 - 00000278 __ASH C:\Documents and Settings\davek.CCCM\ntuser.ini 2013-05-31 08:53 - 2004-08-11 16:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini 2013-05-31 08:53 - 2004-08-11 16:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini 2013-05-31 08:53 - 2004-08-11 16:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-05-31 08:53 - 2004-08-11 16:09 - 00000159 ____A C:\Windows\wiadebug.log 2013-05-31 08:53 - 2004-08-11 16:09 - 00000049 ____A C:\Windows\wiaservc.log 2013-05-31 08:52 - 2010-02-04 15:13 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-05-31 08:52 - 2007-08-06 11:50 - 00000062 __ASH C:\Documents and Settings\davek.CCCM\Local Settings\desktop.ini 2013-05-31 08:45 - 2007-08-06 11:52 - 00000178 ___SH C:\Documents and Settings\administrator.CCCM\ntuser.ini 2013-05-31 08:44 - 2006-06-15 09:58 - 00000000 __HDC C:\Windows\$NtUninstallKB911280$ 2013-05-31 08:42 - 2012-04-26 10:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-05-30 23:00 - 2011-11-16 18:14 - 00000314 ____A C:\Windows\Tasks\Regwork.job 2013-05-30 16:46 - 2013-05-30 16:46 - 00002169 ____A C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.txt 2013-05-30 16:44 - 2013-05-30 16:44 - 00047632 ____A C:\Documents and Settings\administrator.CCCM\Desktop\Extras.Txt 2013-05-30 16:43 - 2013-05-30 16:43 - 00057268 ____A C:\Documents and Settings\administrator.CCCM\Desktop\OTL.Txt 2013-05-30 16:30 - 2013-05-30 16:31 - 04745728 ____A (AVAST Software) C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.exe 2013-05-30 16:26 - 2013-05-30 16:31 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\administrator.CCCM\Desktop\OTL.exe 2013-05-30 15:54 - 2013-05-30 15:53 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Search Settings 2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\IObit Apps Toolbar 2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\Application Updater 2013-05-30 15:53 - 2013-03-12 13:09 - 00000000 ____D C:\Program Files\Common Files\Spigot 2013-05-30 15:51 - 2013-05-30 15:51 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk 2013-05-30 15:51 - 2013-05-30 15:38 - 00000000 ____D C:\Program Files\HitmanPro 2013-05-30 15:48 - 2006-04-25 13:15 - 00000000 __SHD C:\Windows\CSC 2013-05-30 15:39 - 2006-03-30 00:31 - 00000000 ____D C:\Program Files\Common Files\Java 2013-05-30 15:38 - 2013-05-30 13:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro 2013-05-30 15:38 - 2012-04-26 13:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-05-30 15:38 - 2007-01-17 17:46 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\Sonic 2013-05-30 15:12 - 2013-05-30 15:12 - 00069688 ____A C:\Documents and Settings\administrator.CCCM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2013-05-30 14:26 - 2013-05-30 14:27 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll 2013-05-30 14:25 - 2013-05-30 14:27 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll 2013-05-30 14:25 - 2013-05-30 14:27 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe 2013-05-30 14:25 - 2013-05-30 14:27 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe 2013-05-30 14:25 - 2013-05-30 14:27 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe 2013-05-30 14:25 - 2010-05-05 19:19 - 00788896 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll 2013-05-30 14:25 - 2007-04-16 10:49 - 00144896 ____A (Oracle Corporation) C:\Windows\System32\javacpl.cpl 2013-05-30 14:24 - 2013-05-30 14:24 - 34500608 ____A C:\Windows\System32\config\SOFTWARE.iobit 2013-05-30 14:24 - 2013-05-30 14:24 - 00299008 ____A C:\Windows\System32\config\DEFAULT.iobit 2013-05-30 14:24 - 2013-05-30 14:24 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit 2013-05-30 14:24 - 2013-05-30 14:24 - 00028672 ____A C:\Windows\System32\config\SAM.iobit 2013-05-30 14:24 - 2006-03-30 00:31 - 00000000 ____D C:\Program Files\Java 2013-05-30 14:20 - 2008-07-10 13:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee 2013-05-30 14:17 - 2013-03-12 10:08 - 00000925 ____A C:\Documents and Settings\All Users\Desktop\Uninstaller.lnk 2013-05-30 14:17 - 2013-03-12 10:08 - 00000874 ____A C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 6.lnk 2013-05-30 14:15 - 2013-05-20 11:53 - 00054156 ___AH C:\Windows\QTFont.qfn 2013-05-30 14:03 - 2013-05-30 14:03 - 00015466 ____A C:\Windows\System32\.crusader 2013-05-30 14:02 - 2013-05-20 12:31 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\wabEventSupport16 2013-05-30 13:39 - 2013-05-30 13:39 - 00000000 __SHD C:\Documents and Settings\administrator.CCCM\IECompatCache 2013-05-30 13:10 - 2012-12-02 13:12 - 00000000 ___RD C:\Documents and Settings\davek.CCCM\My Documents\Dropbox 2013-05-30 13:10 - 2012-12-02 13:02 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\Dropbox 2013-05-30 13:08 - 2004-08-11 16:12 - 00000000 ____D C:\Windows\System32\Restore 2013-05-30 12:45 - 2008-10-23 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB958644$ 2013-05-30 11:29 - 2009-07-21 16:03 - 00000000 __HDC C:\Windows\$NtUninstallKB961371$ 2013-05-30 11:16 - 2013-05-30 11:16 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Malwarebytes 2013-05-30 11:15 - 2011-09-01 17:42 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\IObit 2013-05-30 09:39 - 2013-05-30 09:39 - 00096256 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\acrobat.exe 2013-05-30 09:39 - 2013-05-30 09:39 - 00000000 ____A C:\Documents and Settings\davek.CCCM\skype.exe 2013-05-30 09:34 - 2013-05-30 09:34 - 00122368 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\opera.exe 2013-05-30 09:34 - 2013-05-30 09:34 - 00000000 ____A C:\Documents and Settings\davek.CCCM\icq.exe 2013-05-30 09:17 - 2004-08-11 16:11 - 00000000 ____D C:\Windows\System32\FxsTmp 2013-05-30 09:16 - 2013-05-22 11:26 - 00000154 ____A C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.dat 2013-05-23 11:26 - 2012-11-11 13:57 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\TAG 2013-05-20 17:12 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Saftey.Scrty 2013-05-20 17:10 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Staffing 2013-05-20 13:34 - 2012-04-30 10:15 - 00002187 ____A C:\Documents and Settings\All Users\Desktop\Safari.lnk 2013-05-20 12:00 - 2011-09-29 14:08 - 00000000 ____D C:\Program Files\Safari 2013-05-20 11:53 - 2013-05-20 11:53 - 00001409 ____A C:\Windows\QTFont.for 2013-05-20 10:06 - 2011-09-29 14:07 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job 2013-05-17 12:59 - 2013-05-17 12:59 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Folder Manager 2013-05-17 12:42 - 2006-04-28 13:16 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\MCS 2013-05-17 12:41 - 2012-10-11 11:18 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\High School 2013-05-16 12:35 - 2006-04-28 13:18 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Newsletter 2013-05-14 11:42 - 2012-04-26 10:13 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-05-14 11:42 - 2011-08-17 10:09 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2013-05-13 11:04 - 2012-06-05 14:40 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\GospelinLife 2013-05-13 11:04 - 2006-04-28 13:19 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Personal 2013-05-13 11:03 - 2012-03-08 14:04 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Tech Task Force 2013-05-13 11:03 - 2010-06-23 12:10 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Transition 2013-05-12 11:32 - 2011-09-29 14:07 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple 2013-05-08 16:50 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Policies and Procedures Other Malware: =========== C:\Documents and Settings\davek.CCCM\acrobat.exe C:\Documents and Settings\davek.CCCM\icq.exe C:\Documents and Settings\davek.CCCM\opera.exe C:\Documents and Settings\davek.CCCM\skype.exe ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ Addition.txt

I have a Dell PC running Windows XP that got infected with the FBI Green Dot Moneypak Virus. This system has an administrator account that was not infected, so I used it to run MalwareBytes this morning (with all current updates). Found and removed a lot of detected problems, but alas I still get the fake FBI notice screen with the infected account. I've run Quick and Full Scans with MalwareBytes, scans with Hitman Pro (often recommended to remove this virus), and run Advanced System Care, which found one piece of malware it removed. I had tried to remove/disable this by doing a system restore, but all recent system restore dates fail. Bottom line is I still get the fake screen on the infected account. How do you suggest I proceed?

Elise, thank you for the excellent support to a very nasty virus. Your last pieces of advice I follow on a regular basis. This problem was somewhat "self inflicted" as I trusted a site and downloaded some software that obviously had malware and a back door Trojan attached. I'm baring my soul in the hopes that others reading this benefit.

Well that wasn't good news. I took the precautionary steps with any account information. I decided to reinstall the operating system and then ran TDSS Killer. It found nothing, but I've uploaded the log as you requested. Let me know if there is anything else I should do before completing the rebuild of the system. TDSSKiller.2.5.0.0_03.05.2011_23.57.03_log.txt

I've run all the tests listed in the "I'm infected - What do I do now?" post and will upload here. I'm using the avast antivirus program, so it's catching the network calls, but it's annoying and I can't get rid of the malware with your otherwise excellent MalwareBytes and need some help (which I thank you for in advance). +++++++++++++++++++++++++++++++++++++++++++++++++++++ Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6470 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 4/29/2011 8:23:13 AM mbam-log-2011-04-29 (08-23-13).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 295676 Time elapsed: 1 hour(s), 1 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\Temp\xmfw\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\itlpfw32.dll (Trojan.Agent) -> Quarantined and deleted successfully. ++++++++++++++++++++++++++++++++++++++++ . DDS (Ver_11-03-05.01) - NTFSx86 Run by Jay at 12:02:43.90 on Sat 04/30/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.60 [GMT -7:00] . AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\WINDOWS\system32\ASTSRV.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\Macrium\Reflect\ReflectService.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Apoint\Apoint.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\AVAST Software\Avast\avastUI.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DivX\DivX Update\DivXUpdate.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\AVAST Software\Avast\setup\avast.setup C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Documents and Settings\Jay\Desktop\Defogger.exe C:\Documents and Settings\Jay\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.searchqu.com/406 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway uInternet Settings,ProxyOverride = *.local uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll mWinlogon: Userinit=userinit.exe BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll BHO: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\documents and settings\all users\application data\wecarereminder\IEHelperv2.5.0.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe" mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe" mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://65.206.219.137/wfc/plugins/j2re-1_3_1_02-win.exe DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://signin2.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://rubyfortune.gameassists.co.uk/rubyfortune/FlashAX2.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: igfxcui - igfxdev.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\jay\applic~1\mozilla\firefox\profiles\3u1l7yoj.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15004&locale=en_US&apn_uid=813B8677-79C0-4BFB-A4B5-6A39E52FDC71&apn_ptnrs=PW&apn_sauid=BA5D5C45-EE4F-45C0-981E-EF9E1F7A440A&apn_dtid=&q= FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll FF - component: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll FF - component: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll FF - component: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll FF - plugin: c:\documents and settings\jay\application data\mozilla\plugins\npPxPlay.dll FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com FF - Ext: Test Pilot: testpilot@labs.mozilla.com - %profile%\extensions\testpilot@labs.mozilla.com FF - Ext: Sopcast Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com FF - Ext: ShopAtHome.com Intelligent Shopping Toolbar: toolbar@shopathome.com - %profile%\extensions\toolbar@shopathome.com FF - Ext: We-Care Reminder: wecarereminder@bryan - %profile%\extensions\wecarereminder@bryan FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef} FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa . ============= SERVICES / DRIVERS =============== . R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-1-17 16024] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-18 371544] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-18 301528] R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-18 19544] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-5 47640] S1 MpKsl52e58e79;MpKsl52e58e79; [x] S1 MpKslc63f34a9;MpKslc63f34a9; [x] S1 MpKsld4976d90;MpKsld4976d90; [x] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-15 34248] S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [2004-4-14 20736] S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-19 17408] S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2009-4-9 91830] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . . ==================== Find3M ==================== . 2011-04-17 23:48:53 60 ----a-w- c:\windows\wpd99.drv 2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll 2011-04-06 23:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll 2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-16 01:40:52 229376 ----a-w- c:\windows\system32\PuranDefragS.exe 2011-02-16 01:40:52 221184 ----a-w- c:\windows\system32\PuranDC.exe 2011-02-16 01:40:52 1110016 ----a-w- c:\windows\system32\PuranFD.exe 2011-02-16 01:40:52 107008 ----a-w- c:\windows\system32\PuranDefragBT.exe 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: HTS548060M9AT00 rev.MGBOA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F09730]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f0fa10]; MOV EAX, [0x86f0fa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F80AB8] 3 CLASSPNP[0xF7607FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86E7F708] \Driver\atapi[0x86FD8F38] -> IRP_MJ_CREATE -> 0x86F09730 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x86F0957B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 12:22:35.64 =============== Attach.zip