BSOD after Removing Threats with Malwarebytes

[Hobbit_Pizza]

Hello, I'm looking for someone to help me solve this issue.

Yesterday my wife caught a virus from a website. There seems to be multiple viruses included in this infection, but the most obvious was called ThinkPoint. ThinkPoint seemed to act like all the other False Antivirus viruses that I've removed before (I fix other people's virus problems too) but this was more difficult to remove. I tried Combofix, but it didn't fully get rid of everything. After installing Malwarebytes, I ran the update but once it got 50% through updating, the computer BSOD'd. I tried Spyware Doctor, but during installation it BSOD'd. I tried in both safe mode and regular mode. I then figured I had a rootkit infection. I checked Disk Management and noticed that C drive doesn't show up now, although it appears in my computer and I can access all files. I used a rootkit revealer to show an infected service. It allowed me to disable the service and reboot, then delete the .sys file associated with the service. From there I was able to successfully update Malwarebytes, as well as install Spyware Doctor. It seems the rootkit infection preventing me from using those applications is gone. Now for my current issue. If I run Malwarebytes, it will find some infected files and delete them. Upon reboot, I get 0x0000007B with no description (i.e. it doesn't actually say innacessible boot device, just the 0x0000007B code). Using recovery console, I can copy sam, system, security, and software hives over the ones in c:\windows\system32\config from a backup located in system volume information, and then the computer boots again. If I run Malwarebytes again, same thing, it finds some .dll files and removes them, and upon the next reboot I get the 0x0000007B BSOD again. It seems the only way to get running again once Malwarebytes removes these infected files is to copy hives again, and then voila. I'm on my third attempt now, seeking advice. I want to kick this thing's butt rather than reinstall or remain infected. I know there's some smart people here who can help me!

Please advise...

[negster22]

Please post the MBAM log and the Combofix log (C:\Combofix.txt)!

What is your operating system and is it 32 or 64 bit?

I checked Disk Management and noticed that C drive doesn't show up now, although it appears in my computer and I can access all files.

This is a symptom of TDL3 Alureon rootkit.

FYI:

http://secure-computer-solutions.com/blog/...p_your_mbr.html

Run MBRCheck:

Download MBRCheck to your desktop

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

• Double click MBRCheck.exe to run (Vista and Win 7 right click and select Run as Administrator)
  
• It will show a Black screen with some data on it
  
• a report called MBRcheck will be on your desktop
  
• Open this report
  
• Right click on the screen and select > Select All
  
• Press Control+C
  
• now please copy that report to this thread
  

Run TDSSKiller:

http://support.kaspersky.com/viruses/solutions?qid=208280684

ThinkPoint Removal Guide:

http://www.bleepingcomputer.com/virus-remo...move-thinkpoint

Post back the following logs (Do NOT attach):

1. C:\Combofix.txt

2. MBAM Log

3. MBRCheck Log

4. TDSSKiller log

[Hobbit_Pizza]

Negster22,

Thanks for the reply. I am using XP Pro 32. I have 1 Combofix & 3 mbam logs:

More to come as I follow your suggestions.

---------------------------------------------------------------------------

ComboFix 10-10-18.03 - User 10/19/2010 0:48:14.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2390 [GMT -7:00]

Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\cleansweep.exe

C:\cleansweep.exe\cleansweep.exe

C:\cleansweep.exe\config.bin

C:\Documents and Settings\User\Application Data\2D07B8F5D05E5F624E3E6F3691036578

C:\Documents and Settings\User\Application Data\2D07B8F5D05E5F624E3E6F3691036578\enemies-names.txt

C:\Documents and Settings\User\Application Data\2D07B8F5D05E5F624E3E6F3691036578\local.ini

C:\Documents and Settings\User\Application Data\2D07B8F5D05E5F624E3E6F3691036578\lsrslt.ini

C:\Documents and Settings\User\Application Data\2D07B8F5D05E5F624E3E6F3691036578\terrapoint700x0main.exe

C:\Documents and Settings\User\Application Data\2D07B8F5D05E5F624E3E6F3691036578\upd_debug.exe

C:\Documents and Settings\User\Application Data\hotfix.exe

C:\Documents and Settings\User\Application Data\Paqe

C:\Documents and Settings\User\Application Data\Paqe\hyag.exe

C:\Documents and Settings\User\Local Settings\Application Data\{62018A24-A08F-448C-B089-79E556411BCC}

C:\Documents and Settings\User\Local Settings\Application Data\{62018A24-A08F-448C-B089-79E556411BCC}\chrome.manifest

C:\Documents and Settings\User\Local Settings\Application Data\{62018A24-A08F-448C-B089-79E556411BCC}\chrome\content\_cfg.js

C:\Documents and Settings\User\Local Settings\Application Data\{62018A24-A08F-448C-B089-79E556411BCC}\chrome\content\overlay.xul

C:\Documents and Settings\User\Local Settings\Application Data\{62018A24-A08F-448C-B089-79E556411BCC}\install.rdf

C:\WINDOWS\ifahowil.dll

C:\WINDOWS\msevoror.dll

C:\WINDOWS\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))

.

2010-10-19 07:19:58 . 2010-10-19 07:19:58 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache

2010-10-19 07:19:06 . 2010-10-19 07:19:06 -------- d-sh--w- C:\Documents and Settings\LocalService\PrivacIE

2010-10-18 18:38:00 . 2010-10-19 07:06:38 0 ----a-w- C:\WINDOWS\Lhuqu.bin

2010-10-18 18:31:42 . 2010-10-19 08:21:09 843264 ----a-w- C:\WINDOWS\system32\drivers\mrrwh.sys

2010-10-18 18:30:25 . 2010-10-19 07:32:31 -------- d-----w- C:\Documents and Settings\User\Application Data\Giylxe

2010-10-17 11:42:00 . 2010-10-17 11:42:13 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Temp

2010-10-07 06:42:00 . 2010-10-07 06:42:00 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

2010-10-07 06:37:45 . 2010-10-07 06:37:45 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

2010-10-07 06:37:36 . 2010-10-19 07:11:33 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Google

2010-10-07 06:34:55 . 2010-10-19 07:11:33 -------- d-----w- C:\Program Files\Google

2010-09-20 14:56:51 . 2010-09-20 14:56:51 -------- d-----w- C:\ProgramData

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

------- Sigcheck -------

[-] 2009-10-05 01:30:13 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-02-26 16:15:04 1682368]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 03:05:26 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 06:41:36 23552]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 02:26:04 52896]

"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-28 03:33:44 125168]

"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 04:14:48 153608]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 04:44:14 102400]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2009-10-6 813584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 19:28:42 72208 ----a-w- c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

-------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4888

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

10/19/2010 10:49:16 PM

mbam-log-2010-10-19 (22-49-16).txt

Scan type: Quick scan

Objects scanned: 141049

Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rqiboje (Trojan.Hiloti) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\oxirijego.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Local Settings\temp\kplw.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Local Settings\temp\ssvs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Local Settings\temp\udfdi.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\WINDOWS\msevoror.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

---------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4897

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

10/20/2010 11:57:11 PM

mbam-log-2010-10-20 (23-57-11).txt

Scan type: Quick scan

Objects scanned: 142111

Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4897

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

10/21/2010 7:08:54 AM

mbam-log-2010-10-21 (07-08-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 368292

Time elapsed: 50 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\User\Application Data\Zepi\evowa.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\User\Application Data\hotfix.exe.vir (Trojan.MultipleAV) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\User\Application Data\Paqe\hyag.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\msevoror.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------------------------------------------------------------

[Hobbit_Pizza]

This is a symptom of TDL3 Alureon rootkit.

FYI:

http://secure-computer-solutions.com/blog/...p_your_mbr.html

That link was right on the money because its not just disk management console, diskpart is doing the same thing as described in your link.

TDSSKiller found TDL4 Rootkit on HardDisk2\MBR

Not sure if it's referring to my external drive since it says HardDisk2 (I have my OS internal, and an external for Data).

No log yet, I still have the TDSSKiller results on my screen and I'm not sure which action to take since it's my MBR (even though I can fixmbr with recovery console if something happens).

Options are skip, quarantine, cure, restore.

------------------------------------------------------------

MBRCheck Log:

------------------------------

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x000003fc

Kernel Drivers (total 159):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806D0000 \WINDOWS\system32\hal.dll

0x8A965000 \WINDOWS\system32\KDCOM.DLL

0xBA4BC000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA0B8000 ohci1394.sys

0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xBA4C0000 compbatt.sys

0xBA4C4000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xBA5AA000 aliide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA0D8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0E8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xB9ED7000 m5288.sys

0xB9EBF000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

0xB9EA8000 SI3132.sys

0xBA0F8000 disk.sys

0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9E88000 fltMgr.sys

0xB9E76000 sr.sys

0xBA4C8000 SiWinAcc.sys

0xB9E5F000 KSecDD.sys

0xB9E4C000 WudfPf.sys

0xB9DBF000 Ntfs.sys

0xB9D92000 NDIS.sys

0xBA338000 SiRemFil.sys

0xB9D78000 Mup.sys

0xB495F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB494B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB4923000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB48A4000 \SystemRoot\system32\drivers\ctaud2k.sys

0xB4880000 \SystemRoot\system32\drivers\portcls.sys

0xB5AAA000 \SystemRoot\system32\drivers\drmk.sys

0xB485D000 \SystemRoot\system32\drivers\ks.sys

0xB4828000 \SystemRoot\system32\drivers\ctoss2k.sys

0xBA418000 \SystemRoot\system32\drivers\ctprxy2k.sys

0xB1A23000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xB153E000 \SystemRoot\system32\DRIVERS\yk51x86.sys

0xBA420000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xB151A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA428000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xBA430000 \SystemRoot\system32\DRIVERS\fdc.sys

0xBA604000 \SystemRoot\system32\DRIVERS\ASACPI.sys

0xB1A13000 \SystemRoot\system32\DRIVERS\imapi.sys

0xB1464000 \SystemRoot\System32\Drivers\AnyDVD.sys

0xB1A03000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xB19F3000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB19E3000 \SystemRoot\system32\DRIVERS\AmdK8.sys

0xB1446000 \SystemRoot\system32\DRIVERS\dne2000.sys

0xBA72C000 \SystemRoot\system32\DRIVERS\audstub.sys

0xB19D3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB51A2000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB142F000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xB19C3000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xB19B3000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA438000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB141E000 \SystemRoot\system32\DRIVERS\psched.sys

0xB19A3000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xB285F000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xB2857000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB139E000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xB1993000 \SystemRoot\system32\DRIVERS\termdd.sys

0xB284F000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xB2847000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xB1381000 \SystemRoot\system32\DRIVERS\mcdbus.sys

0xBA606000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB1323000 \SystemRoot\system32\DRIVERS\update.sys

0xB5186000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xB4E6A000 \SystemRoot\system32\drivers\WmBEnum.sys

0xB1661000 \SystemRoot\system32\drivers\WmXlCore.sys

0xB1631000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xA521D000 \SystemRoot\system32\drivers\AtiHdmi.sys

0xA0EFA000 \SystemRoot\system32\drivers\ha20x2k.sys

0xA0ECA000 \SystemRoot\system32\drivers\emupia2k.sys

0xA0EA1000 \SystemRoot\system32\drivers\ctsfm2k.sys

0xA0E05000 \SystemRoot\system32\drivers\ctac32k.sys

0xA0DF0000 \SystemRoot\System32\drivers\CTHWIUT.SYS

0xA0DC4000 \SystemRoot\System32\drivers\CT20XUT.SYS

0xA0C7D000 \SystemRoot\System32\drivers\CTEXFIFX.SYS

0xA0712000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA616000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x9C2B8000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys

0x9C296000 \??\C:\Program Files\Symantec\SYMEVENT.SYS

0x9C282000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys

0xBA558000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xBA1D8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xB281F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA5B2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA757000 \SystemRoot\System32\Drivers\Null.SYS

0xBA5BE000 \SystemRoot\System32\Drivers\Beep.SYS

0xA0197000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xBA368000 \SystemRoot\System32\drivers\vga.sys

0xBA5DC000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA5E0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA410000 \SystemRoot\System32\Drivers\Msfs.SYS

0xB2817000 \SystemRoot\System32\Drivers\Npfs.SYS

0xBA568000 \SystemRoot\system32\DRIVERS\rasacd.sys

0x9AC25000 \SystemRoot\system32\DRIVERS\ipsec.sys

0x9ABCC000 \SystemRoot\system32\DRIVERS\tcpip.sys

0x9AB91000 \SystemRoot\System32\Drivers\SYMTDI.SYS

0x9AB6B000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xBA1A8000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xBA458000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0x9AB43000 \SystemRoot\system32\DRIVERS\netbt.sys

0xB296D000 \SystemRoot\system32\DRIVERS\arp1394.sys

0x9AB21000 \SystemRoot\System32\drivers\afd.sys

0xBA3D0000 \SystemRoot\system32\DRIVERS\HidBatt.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\netbios.sys

0x9AABF000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

0x9AA94000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x9AA24000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xBA308000 \SystemRoot\System32\Drivers\Fips.SYS

0xBA498000 \SystemRoot\System32\Drivers\ElbyCDIO.sys

0x9A9C6000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

0x9A9A9000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

0xBA644000 \SystemRoot\system32\drivers\AsIO.sys

0xB140E000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys

0xBA208000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS

0x9A92E000 \SystemRoot\system32\DRIVERS\Wdf01000.sys

0xB5BC8000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xB13FE000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys

0xA01A7000 \SystemRoot\system32\drivers\WmFilter.sys

0xA5259000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xBF800000 \SystemRoot\System32\win32k.sys

0xA5239000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA3A0000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA6C9000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF060000 \SystemRoot\System32\ati2cqag.dll

0xBF10D000 \SystemRoot\System32\atikvmag.dll

0xBF1AE000 \SystemRoot\System32\atiok3x2.dll

0xBF213000 \SystemRoot\System32\ati3duag.dll

0xBF599000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xBA178000 \SystemRoot\System32\Drivers\Cdfs.SYS

0x974AF000 \SystemRoot\system32\drivers\wdmaud.sys

0x9EBB2000 \SystemRoot\system32\drivers\sysaudio.sys

0x97274000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0x97594000 \??\C:\WINDOWS\system32\drivers\cpuz134_x32.sys

0x971E4000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

0x9717B000 \SystemRoot\System32\Drivers\HTTP.sys

0xBA75E000 \SystemRoot\System32\Drivers\LBeepKE.sys

0x96FD5000 \SystemRoot\system32\DRIVERS\srv.sys

0x96FBD000 \SystemRoot\system32\drivers\WmVirHid.sys

0xBA488000 \SystemRoot\System32\Drivers\TDTCP.SYS

0x958ED000 \SystemRoot\System32\Drivers\RDPWD.SYS

0x956D7000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101018.002\navex15.sys

0x956C3000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101018.002\naveng.sys

0x956B3000 \SystemRoot\System32\Drivers\SYMREDRV.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):

0 System Idle Process

4 System

924 C:\WINDOWS\system32\smss.exe

988 csrss.exe

1028 C:\WINDOWS\system32\winlogon.exe

1076 C:\WINDOWS\system32\services.exe

1088 C:\WINDOWS\system32\lsass.exe

1264 C:\WINDOWS\system32\ati2evxx.exe

1296 C:\WINDOWS\system32\svchost.exe

1388 svchost.exe

1536 C:\WINDOWS\system32\svchost.exe

1604 C:\WINDOWS\system32\svchost.exe

1644 C:\WINDOWS\system32\ati2evxx.exe

1748 svchost.exe

1844 svchost.exe

1872 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

1944 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

2032 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

288 C:\WINDOWS\system32\spoolsv.exe

1476 C:\Program Files\Creative\Shared Files\CTAudSvc.exe

440 C:\WINDOWS\explorer.exe

628 svchost.exe

692 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

768 C:\Program Files\Symantec AntiVirus\DefWatch.exe

880 C:\WINDOWS\system32\svchost.exe

964 C:\Program Files\Java\jre6\bin\jqs.exe

1448 C:\WINDOWS\system32\PnkBstrA.exe

1136 C:\WINDOWS\system32\svchost.exe

576 C:\Program Files\Symantec AntiVirus\Rtvscan.exe

116 C:\WINDOWS\system32\Ctxfihlp.exe

1256 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

460 C:\PROGRA~1\SYMANT~1\VPTray.exe

1792 C:\Program Files\Logitech\Gaming Software\LWEMon.exe

2180 C:\WINDOWS\system32\CTxfispi.exe

2332 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

2376 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

2412 C:\Program Files\Windows Media Player\wmpnscfg.exe

2464 C:\WINDOWS\system32\ctfmon.exe

2676 C:\Program Files\Logitech\SetPoint\SetPoint.exe

3272 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

3656 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

3840 alg.exe

300 C:\WINDOWS\system32\mstsc.exe

332 C:\Documents and Settings\User\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD740GD-00FLA2, Rev: 31.08F31

PhysicalDrive1 Model Number: ExternalDisk0, Rev: RGL10324

Size Device Name MBR Status

--------------------------------------------

69 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

465 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

[Hobbit_Pizza]

I chose to select cure in TDSS. After reboot I scanned with TDSS again and nothing found.

Here's the log:

----------------------

2010/10/21 23:29:29.0265 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59

2010/10/21 23:29:29.0265 ================================================================================

2010/10/21 23:29:29.0265 SystemInfo:

2010/10/21 23:29:29.0265

2010/10/21 23:29:29.0265 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/21 23:29:29.0265 Product type: Workstation

2010/10/21 23:29:29.0265 ComputerName: User-PC

2010/10/21 23:29:29.0265 UserName: User

2010/10/21 23:29:29.0265 Windows directory: C:\WINDOWS

2010/10/21 23:29:29.0265 System windows directory: C:\WINDOWS

2010/10/21 23:29:29.0265 Processor architecture: Intel x86

2010/10/21 23:29:29.0265 Number of processors: 1

2010/10/21 23:29:29.0265 Page size: 0x1000

2010/10/21 23:29:29.0265 Boot type: Normal boot

2010/10/21 23:29:29.0265 ================================================================================

2010/10/21 23:29:29.0421 Initialize success

2010/10/21 23:29:33.0625 ================================================================================

2010/10/21 23:29:33.0625 Scan started

2010/10/21 23:29:33.0625 Mode: Manual;

2010/10/21 23:29:33.0625 ================================================================================

2010/10/21 23:29:33.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/21 23:29:33.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/21 23:29:33.0984 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/10/21 23:29:34.0000 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys

2010/10/21 23:29:34.0093 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/10/21 23:29:34.0125 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2010/10/21 23:29:34.0156 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys

2010/10/21 23:29:34.0203 AnyDVD (4632cb35daef8dd01d25aa5aed4b3102) C:\WINDOWS\system32\Drivers\AnyDVD.sys

2010/10/21 23:29:34.0250 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/10/21 23:29:34.0328 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys

2010/10/21 23:29:34.0375 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/21 23:29:34.0421 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/21 23:29:34.0609 ati2mtag (eb0531822aabcf843a0940d4ca8a90a9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/10/21 23:29:34.0671 AtiHdmiService (b9bc23b57765c167806a1feb7a3d16a6) C:\WINDOWS\system32\drivers\AtiHdmi.sys

2010/10/21 23:29:34.0703 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/21 23:29:34.0734 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/21 23:29:34.0781 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/21 23:29:34.0890 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/21 23:29:34.0937 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/21 23:29:34.0968 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/21 23:29:34.0984 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/21 23:29:35.0046 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/10/21 23:29:35.0125 cpuz134 (75fa19142531cbf490770c2988a7db64) C:\WINDOWS\system32\drivers\cpuz134_x32.sys

2010/10/21 23:29:35.0171 CT20XUT (f3853ffef16c14214a271db60243d1aa) C:\WINDOWS\system32\drivers\CT20XUT.SYS

2010/10/21 23:29:35.0187 CT20XUT.SYS (f3853ffef16c14214a271db60243d1aa) C:\WINDOWS\System32\drivers\CT20XUT.SYS

2010/10/21 23:29:35.0234 ctac32k (7a437a2b771c40e2255f293dc82fd20c) C:\WINDOWS\system32\drivers\ctac32k.sys

2010/10/21 23:29:35.0265 ctaud2k (2a68b4e68e43a394b22b3424e7a6e5af) C:\WINDOWS\system32\drivers\ctaud2k.sys

2010/10/21 23:29:35.0296 ctdvda2k (c3fe1c4c353efdfc893c1f3b7847caba) C:\WINDOWS\system32\drivers\ctdvda2k.sys

2010/10/21 23:29:35.0359 CTEXFIFX (02b287c3305c171bc7611928d4bc3b48) C:\WINDOWS\system32\drivers\CTEXFIFX.SYS

2010/10/21 23:29:35.0437 CTEXFIFX.SYS (02b287c3305c171bc7611928d4bc3b48) C:\WINDOWS\System32\drivers\CTEXFIFX.SYS

2010/10/21 23:29:35.0453 CTHWIUT (93f1b4071ef759082d07c5864aaa67b0) C:\WINDOWS\system32\drivers\CTHWIUT.SYS

2010/10/21 23:29:35.0468 CTHWIUT.SYS (93f1b4071ef759082d07c5864aaa67b0) C:\WINDOWS\System32\drivers\CTHWIUT.SYS

2010/10/21 23:29:35.0484 ctprxy2k (a57b34c36d1a9c886ef86311f256090f) C:\WINDOWS\system32\drivers\ctprxy2k.sys

2010/10/21 23:29:35.0515 ctsfm2k (2bf688833a70758aaf6d89469e15a7b9) C:\WINDOWS\system32\drivers\ctsfm2k.sys

2010/10/21 23:29:35.0546 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2010/10/21 23:29:35.0609 CVPNDRVA (1c2999966f0f36aa44eaecbee70cf770) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2010/10/21 23:29:35.0687 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/21 23:29:35.0750 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/21 23:29:35.0812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/10/21 23:29:35.0843 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/21 23:29:35.0875 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/21 23:29:35.0937 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2010/10/21 23:29:35.0984 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/21 23:29:36.0062 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/10/21 23:29:36.0109 ElbyCDIO (aaa8999a169e39fb8b48ae49cd6ac30a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys

2010/10/21 23:29:36.0156 emupia (ebf597b66f03035c1cc9e8352f964680) C:\WINDOWS\system32\drivers\emupia2k.sys

2010/10/21 23:29:36.0187 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2010/10/21 23:29:36.0250 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/21 23:29:36.0265 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/10/21 23:29:36.0296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/21 23:29:36.0328 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/10/21 23:29:36.0359 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/10/21 23:29:36.0406 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/21 23:29:36.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/21 23:29:36.0453 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/10/21 23:29:36.0484 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/21 23:29:36.0578 ha20x2k (e9ea9dc7f57103d5d9cb71c27a1a47cf) C:\WINDOWS\system32\drivers\ha20x2k.sys

2010/10/21 23:29:36.0609 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/10/21 23:29:36.0656 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys

2010/10/21 23:29:36.0687 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/10/21 23:29:36.0765 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/21 23:29:36.0828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/10/21 23:29:36.0859 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/21 23:29:37.0015 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/10/21 23:29:37.0125 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/10/21 23:29:37.0156 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/21 23:29:37.0187 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/21 23:29:37.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/21 23:29:37.0234 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/21 23:29:37.0265 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/21 23:29:37.0312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/21 23:29:37.0359 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/21 23:29:37.0375 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/10/21 23:29:37.0406 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/21 23:29:37.0437 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/21 23:29:37.0468 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys

2010/10/21 23:29:37.0515 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

2010/10/21 23:29:37.0546 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

2010/10/21 23:29:37.0578 m5288 (485ed377977dc9661626aaab614504cf) C:\WINDOWS\system32\DRIVERS\m5288.sys

2010/10/21 23:29:37.0609 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys

2010/10/21 23:29:37.0640 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/21 23:29:37.0703 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/21 23:29:37.0734 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/21 23:29:37.0781 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/10/21 23:29:37.0828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/21 23:29:37.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/21 23:29:37.0921 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/21 23:29:37.0937 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/21 23:29:37.0968 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/21 23:29:38.0000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/21 23:29:38.0031 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/21 23:29:38.0046 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/21 23:29:38.0093 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys

2010/10/21 23:29:38.0125 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys

2010/10/21 23:29:38.0140 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/21 23:29:38.0234 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101018.002\naveng.sys

2010/10/21 23:29:38.0296 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101018.002\navex15.sys

2010/10/21 23:29:38.0359 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/21 23:29:38.0375 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/21 23:29:38.0406 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/21 23:29:38.0453 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/21 23:29:38.0468 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/21 23:29:38.0484 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/21 23:29:38.0515 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/21 23:29:38.0562 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/10/21 23:29:38.0593 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/21 23:29:38.0625 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/21 23:29:38.0703 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/21 23:29:38.0718 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/21 23:29:38.0750 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/21 23:29:38.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/10/21 23:29:38.0812 ossrv (0e2f8a96f238d4a45068275fc659a2fc) C:\WINDOWS\system32\drivers\ctoss2k.sys

2010/10/21 23:29:38.0843 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/10/21 23:29:38.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/21 23:29:38.0906 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/21 23:29:38.0937 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/21 23:29:38.0984 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/21 23:29:39.0125 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/21 23:29:39.0156 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/10/21 23:29:39.0187 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/21 23:29:39.0203 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/21 23:29:39.0296 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/21 23:29:39.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/21 23:29:39.0343 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/21 23:29:39.0375 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/21 23:29:39.0406 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/21 23:29:39.0421 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/21 23:29:39.0453 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/10/21 23:29:39.0484 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/21 23:29:39.0515 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/21 23:29:39.0578 rt2870 (4311d22a38f7e403475aa2c338768c11) C:\WINDOWS\system32\DRIVERS\rt2870.sys

2010/10/21 23:29:39.0687 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys

2010/10/21 23:29:39.0703 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2010/10/21 23:29:39.0734 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/21 23:29:39.0781 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/10/21 23:29:39.0812 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/10/21 23:29:39.0843 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/10/21 23:29:39.0890 Si3132 (0b9b5c6df6226497ef4819b6e1b2efd5) C:\WINDOWS\system32\DRIVERS\SI3132.sys

2010/10/21 23:29:39.0906 SiFilter (ad29a80543c63e5b3588d118fb327e22) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys

2010/10/21 23:29:39.0953 SiRemFil (b19efe5e45ae31f3c3e4c4f0f9da3c49) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys

2010/10/21 23:29:40.0000 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/10/21 23:29:40.0046 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/21 23:29:40.0062 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/21 23:29:40.0125 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/21 23:29:40.0156 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/21 23:29:40.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/21 23:29:40.0250 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS

2010/10/21 23:29:40.0265 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/10/21 23:29:40.0296 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/10/21 23:29:40.0359 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/21 23:29:40.0421 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/21 23:29:40.0453 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/21 23:29:40.0484 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/21 23:29:40.0500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/21 23:29:40.0578 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/21 23:29:40.0640 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/21 23:29:40.0687 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/10/21 23:29:40.0734 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/21 23:29:40.0765 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/21 23:29:40.0796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/21 23:29:40.0812 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/10/21 23:29:40.0859 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/21 23:29:40.0890 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/21 23:29:40.0921 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/10/21 23:29:40.0968 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/21 23:29:41.0000 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys

2010/10/21 23:29:41.0062 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/21 23:29:41.0093 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys

2010/10/21 23:29:41.0156 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/10/21 23:29:41.0234 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/21 23:29:41.0296 WmBEnum (84a90f13eebf4380345ef9474d30f10e) C:\WINDOWS\system32\drivers\WmBEnum.sys

2010/10/21 23:29:41.0343 WmFilter (eb0034ac02a44dc784a3174d2b81e764) C:\WINDOWS\system32\drivers\WmFilter.sys

2010/10/21 23:29:41.0390 WmVirHid (72c4f5a748c74d8d4016ccfa7367210f) C:\WINDOWS\system32\drivers\WmVirHid.sys

2010/10/21 23:29:41.0406 WmXlCore (eacdcced934a185e61ce0684f71c2dec) C:\WINDOWS\system32\drivers\WmXlCore.sys

2010/10/21 23:29:41.0453 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/10/21 23:29:41.0500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/10/21 23:29:41.0546 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/10/21 23:29:41.0593 yukonwxp (91ef29d374ca305737401a6505efa9ed) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

2010/10/21 23:29:41.0703 \HardDisk2\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/10/21 23:29:41.0703 ================================================================================

2010/10/21 23:29:41.0703 Scan finished

2010/10/21 23:29:41.0703 ================================================================================

2010/10/21 23:29:41.0718 Detected object count: 1

2010/10/21 23:37:56.0343 \HardDisk2\MBR - will be cured after reboot

2010/10/21 23:37:56.0343 Rootkit.Win32.TDSS.tdl4(\HardDisk2\MBR) - User select action: Cure

2010/10/21 23:38:04.0359 Deinitialize success

[Hobbit_Pizza]

Also now, in Disk Management my C drive shows up!

But, it wants to initialize and convert my disk 2 (data drive) even though I can still access all the data on it...

What should I do? Will initialize and convert harm my data?

[negster22]

Also now, in Disk Management my C drive shows up!

But, it wants to initialize and convert my disk 2 (data drive) even though I can still access all the data on it...

What should I do? Will initialize and convert harm my data?

I found this on Microsoft article "initialize and convert":

http://www.microsoft.com/windowsxp/using/s...anced/ntfs.mspx

Convert refers to converting the drive format to NTFS

From what I gathered in that link, it looks like "initialize and convert" would be data destructive so hold off on that especially since you can read the data just fine.

If your disk 2 is external, you can try to plug it into another computer and see if you receive the same prompt.

Please give me some time to go over your logs, and in the meantime, let me know if an MBAM scan still produces a BSOD.

And additionally, please run this scan and post back the scan report as directed:

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop

Save and Rename it as You download it to iexplore.exe

Double-click iexplore.exe on your Desktop to run it

In the "Scan Type" window, select Full Scan

Perform a scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start => Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

[negster22]

Delete the copy of combofix.exe that you have on your desktop.

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before downloading a new combofix.exe. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Please download Combofix from one of these locations:

HERE or HERE

Open Notepad

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

http://forums.malwarebytes.org/index.php?showtopic=65548&pid=331650&st=0entry331650

KillAll::

DirLook::
C:\Documents and Settings\User\Application Data\Giylxe

MIA::
c:\windows\System32\sfcfiles.dll

SRPeek::
c:\windows\System32\sfcfiles.dll

Driver::
mrrwh

Collect::[4][75]
C:\WINDOWS\Lhuqu.bin
C:\WINDOWS\system32\drivers\mrrwh.sys

Save this to your desktop as CFScript.txt by selecting File -> Save as.

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This action will cause ComboFix to launch and begin scanning.

Combofix should prompt you to approve uploading of a suspicious file during its run.

Please let me know if it does!!

Please post back the log that is opens when it finishes called C:\Combofix.txt.

Re-enable your real-time protection.

Are you running remote desktop?

If not, upload this file to VirusTotal using the "Upload a file" function and post back the link to the scan report:

C:\WINDOWS\system32\mstsc.exe <===

If VirusTotal says the file was already scanned, I want you to rescan it and do not just post back the previous scan results.

Please post back C:\Combofix.txt

Please post back the MSRT log requested in my last reply.

Thanks!

[Hobbit_Pizza]

I haven't run MSRT yet, but here's the ComboFix log:

And it did ask me to upload for analysis, I clicked yes.

-------------------------------------------------------------

ComboFix 10-10-22.04 - User 10/22/2010 23:09:27.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2340 [GMT -7:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\Lhuqu.bin

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Local Settings\Application Data\{B9C5CE07-433E-4C7E-A205-FE7757EF1848}

c:\documents and settings\User\Local Settings\Application Data\{B9C5CE07-433E-4C7E-A205-FE7757EF1848}\chrome.manifest

c:\documents and settings\User\Local Settings\Application Data\{B9C5CE07-433E-4C7E-A205-FE7757EF1848}\chrome\content\_cfg.js

c:\documents and settings\User\Local Settings\Application Data\{B9C5CE07-433E-4C7E-A205-FE7757EF1848}\chrome\content\overlay.xul

c:\documents and settings\User\Local Settings\Application Data\{B9C5CE07-433E-4C7E-A205-FE7757EF1848}\install.rdf

c:\windows\Lhuqu.bin

c:\windows\system32\Drivers\qpgd.sys

c:\windows\system32\Drivers\xuhawge.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MRRWH

-------\Service_mrrwh

((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))

.

2010-10-22 06:06 . 2010-10-22 06:06 -------- dc-h--w- c:\windows\ie8

2010-10-21 06:52 . 2010-10-21 06:52 -------- d-----w- C:\regbackup

2010-10-21 06:47 . 2010-10-21 06:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-21 06:44 . 2010-10-21 06:44 -------- d-sh--w- c:\documents and settings\NetworkService\History

2010-10-21 04:20 . 2008-04-14 07:10 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys

2010-10-21 03:38 . 2010-10-21 03:38 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2010-10-21 03:38 . 2010-10-21 03:38 210304 ----a-w- c:\windows\system32\drivers\m5288.sys

2010-10-21 03:38 . 2010-10-21 03:38 990208 ----a-w- c:\windows\system32\syssetup.dll

2010-10-20 05:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-20 05:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-20 05:18 . 2010-10-21 06:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-10-20 04:32 . 2010-10-20 04:32 -------- d-----w- c:\documents and settings\User\DoctorWeb

2010-10-20 04:09 . 2010-10-21 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-10-19 15:57 . 2010-10-19 15:57 2 --shatr- c:\windows\winstart.bat

2010-10-19 15:57 . 2010-10-20 04:31 -------- d-----w- c:\program files\UnHackMe

2010-10-19 08:40 . 2010-07-09 20:18 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys

2010-10-19 08:40 . 2010-10-19 08:40 -------- d-----w- c:\program files\CPUID

2010-10-19 07:19 . 2010-10-19 07:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-10-19 07:19 . 2010-10-19 07:19 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-10-17 11:42 . 2010-10-17 11:42 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp

2010-10-07 06:42 . 2010-10-07 06:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-10-07 06:37 . 2010-10-07 06:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-10-07 06:37 . 2010-10-19 07:11 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Google

2010-10-07 06:34 . 2010-10-19 07:11 -------- d-----w- c:\program files\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-21 03:38 . 2010-10-21 03:38 990208 ----a-w- c:\windows\inf\syssbck.dll

2010-09-19 04:11 . 2010-05-16 05:11 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-09-19 04:11 . 2010-05-16 05:11 215128 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-09-19 04:11 . 2010-05-16 05:11 215128 ----a-w- c:\windows\system32\PnkBstrB.xtr

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\User\Application Data\Giylxe ----

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

------- Sigcheck -------

[-] 2010-10-21 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-02-26 1682368]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 23552]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 153608]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-6 813584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gupdate"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"1037:TCP"= 1037:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [10/20/2010 8:38 PM 210304]

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [10/19/2010 1:40 AM 20328]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/6/2009 9:20 AM 10384]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/19/2010 1:23 AM 102448]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [10/4/2009 11:54 PM 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]

S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys --> c:\windows\system32\DRIVERS\S3G700m.sys [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/6/2010 11:37 PM 136176]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-22 23:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3920)

c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\AcSignIcon.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\CTXFIHLP.EXE

c:\windows\SYSTEM32\CTXFISPI.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2010-10-22 23:22:17 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-23 06:22

Pre-Run: 2,795,634,688 bytes free

Post-Run: 2,820,673,536 bytes free

- - End Of File - - 36D3E845915C2683E7BE80738BC88F58

Upload was successful

[Hobbit_Pizza]

MSRT Log:

---------------

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.3, January 2010

Started On Thu Oct 21 23:05:21 2010

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Thu Oct 21 23:06:40 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.12, October 2010

Started On Fri Oct 22 23:26:56 2010

Extended Scan Results

----------------

No infection found as part of the extended scan

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Sat Oct 23 08:21:21 2010

Return code: 0 (0x0)

[Hobbit_Pizza]

I did a rescan with VirusTotal.

------------------------

File name: mstsc.exe

Submission date: 2010-10-23 15:23:44 (UTC)

Current status: finished

Result: 0/ 38 (0.0%)

------------------------

MD5 : 8dd5cf6d82bd78433e95d86efa117d67

SHA1 : edf2c5f7bd66a73f0b6b45221497fdc082a13921

SHA256: 28ccf8f2d8eb572c4c124f04f0f2e750b9c48291303f87c417c97bbd071e32eb

ssdeep: 12288:gqn6Y77YnP0mxH56v3P/73fN3UQ9QUfIS4:g+6YP4P0mmvr1EQ91o

File size : 677888 bytes

First seen: 2009-02-16 00:42:32

Last seen : 2010-10-23 15:23:44

TrID:

Windows OCX File (53.8%)

Win64 Executable Generic (37.3%)

Win32 Executable Generic (3.7%)

Win32 Dynamic Link Library (generic) (3.3%)

Generic Win/DOS Executable (0.8%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: Remote Desktop Connection

original name: mstsc.exe

internal name: mstsc.exe

file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x35616

timedatestamp....: 0x47919247 (Sat Jan 19 06:01:43 2008)

machinetype......: 0x14c (I386)

[[ 4 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x513FA, 0x51400, 6.43, 52394349185c0dec2485025759c0a0e1

.data, 0x53000, 0x257C, 0x1400, 3.41, 2459eba22de7852fd396761097a9be21

.rsrc, 0x56000, 0x4CE70, 0x4D000, 6.56, 46041f76e89bc3bf4b03278e11fe6f2d

.reloc, 0xA3000, 0x5816, 0x5A00, 5.85, 3978286ebba99754dafa23eb2e0f6239

[[ 18 import(s) ]]

ADVAPI32.dll: TraceMessage, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, RegDeleteValueW, RegEnumValueW, RegEnumKeyExW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegSetValueExA, CredWriteW, CredReadW, GetUserNameA, CredDeleteW, CredFree, CredReadDomainCredentialsW, CredWriteDomainCredentialsW, RegQueryValueExA, RegOpenKeyExA, CredUnmarshalCredentialW, RegSetValueExW, RegCreateKeyExW, RegCreateKeyExA

KERNEL32.dll: ReadFile, GetFileSize, FormatMessageW, CreateDirectoryW, FindResourceExW, MapViewOfFile, CreateFileMappingW, InterlockedCompareExchange, GetLocaleInfoW, UnmapViewOfFile, HeapSetInformation, ExpandEnvironmentStringsW, CreateProcessW, GetCommandLineW, WideCharToMultiByte, GetFileAttributesExW, FindFirstFileW, FindNextFileW, FindClose, GetTempPathW, SetFilePointer, GetVersion, GetACP, CreateEventW, CreateThread, SetEvent, InterlockedDecrement, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, TlsFree, TlsAlloc, SearchPathW, InitializeCriticalSection, FindResourceW, LoadResource, LockResource, SystemTimeToFileTime, WriteFile, lstrlenW, GetSystemTime, WaitForSingleObject, LoadLibraryA, ExpandEnvironmentStringsA, HeapAlloc, DeleteCriticalSection, GetProcessHeap, HeapFree, LeaveCriticalSection, EnterCriticalSection, DeviceIoControl, VerifyVersionInfoW, LoadLibraryExW, GetModuleFileNameW, UnhandledExceptionFilter, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, OutputDebugStringA, InterlockedExchange, FreeLibrary, LoadLibraryW, InterlockedIncrement, lstrcmpiW, MulDiv, DebugBreak, GetCurrentProcess, TerminateProcess, GetStartupInfoA, MultiByteToWideChar, GetProcAddress, GetVersionExA, SetLastError, Sleep, CreateMutexW, DeleteFileW, GetModuleHandleW, CreateFileW, CloseHandle, GetLastError, GetFullPathNameW, GetFileAttributesW, CompareStringW, LocalAlloc, LocalFree, GetCurrentDirectoryW, GetVersionExW

GDI32.dll: BitBlt, SelectObject, CreateCompatibleDC, CreateFontIndirectW, TranslateCharsetInfo, SetMapMode, SetBkMode, SetTextColor, StretchBlt, CreateCompatibleBitmap, GetObjectW, DeleteDC, UpdateColors, GetDeviceCaps, RealizePalette, EqualRgn, SelectPalette, CreatePalette, GetDIBColorTable, CreateRectRgn, CreateRectRgnIndirect, DeleteObject, SetRectRgn, GetDCOrgEx, GetClipBox, CombineRgn, GetStockObject

USER32.dll: ShowWindow, IsIconic, GetWindowPlacement, FindWindowW, SendMessageTimeoutW, SystemParametersInfoA, IsDialogMessageW, SetForegroundWindow, PostMessageW, IsWindow, SendMessageW, SetWindowTextW, EnableMenuItem, AdjustWindowRect, IntersectRect, EnableWindow, CopyRect, EqualRect, CreateMenu, ModifyMenuW, GetSystemMenu, MoveWindow, GetClientRect, SetWindowPos, IsZoomed, LoadCursorW, SetCursor, AppendMenuW, SetWindowPlacement, UnregisterClassW, GetClassInfoExW, OffsetRect, GetWindowRect, LoadIconW, GetSystemMetrics, TranslateAcceleratorW, IsChild, PostQuitMessage, DestroyWindow, DefWindowProcW, GetWindowLongW, CreateWindowExW, RegisterClassExW, BeginPaint, LoadAcceleratorsW, DialogBoxParamW, CreateDialogParamW, KillTimer, SetTimer, SystemParametersInfoW, GetClassInfoW, DefDlgProcW, RegisterClassW, MonitorFromWindow, GetMonitorInfoW, LoadStringW, SetFocus, UpdateWindow, InvalidateRect, LockWindowUpdate, IsWindowVisible, GetDlgItem, AdjustWindowRectEx, GetDesktopWindow, ShowWindowAsync, GetMenu, RedrawWindow, IsWindowEnabled, SetRect, DestroyIcon, LoadImageW, GetMessageW, TranslateMessage, DispatchMessageW, GetCursorPos, ScreenToClient, GetWindowDC, DrawIconEx, DrawTextW, MapDialogRect, GetWindow, FillRect, CheckDlgButton, IsDlgButtonChecked, SendDlgItemMessageW, CreateDialogIndirectParamW, GetDlgItemTextW, MapWindowPoints, ReleaseDC, DrawIcon, EndPaint, EndDialog, SetDlgItemTextW, GetDC, SetWindowLongW

msvcrt.dll: _errno, _wcslwr, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, wcsrchr, srand, time, wcschr, iswspace, toupper, _wtoi, wcspbrk, towlower, _acmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, iswdigit, _wtol, ___U@YAPAXI@Z, _wcsicmp, wcstok, _wcsnicmp, towupper, _vsnprintf, free, __p__commode, __p__fmode, __set_app_type, _unlock, __dllonexit, _lock, _onexit, _terminate@@YAXXZ, _controlfp, calloc, bsearch, ungetc, _fileno, _read, __pioinfo, __badioinfo, realloc, wcstombs, isdigit, wcsncmp, wcsstr, memmove, _vsnwprintf, memset, memcpy, _purecall, malloc, wctomb, ___V@YAXPAX@Z, localeconv, isxdigit, isleadbyte, __mb_cur_max, mbtowc, iswctype

ole32.dll: CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc, CoInitialize

OLEAUT32.dll: -, -, -, -, -, -, -

SHELL32.dll: SHGetMalloc, SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetDesktopFolder, ExtractIconW

COMCTL32.dll: ImageList_ReplaceIcon, ImageList_GetImageCount, InitCommonControlsEx, ImageList_Create, -

COMDLG32.dll: GetSaveFileNameW, GetOpenFileNameW, GetFileTitleW

SHLWAPI.dll: PathFindFileNameW, PathRemoveFileSpecW, PathFindExtensionW, PathAppendW, -

CRYPT32.dll: CertFreeCertificateContext, CertFreeCertificateChain, CryptBinaryToStringW, CryptStringToBinaryW, CertDuplicateCertificateContext, CertDuplicateCertificateChain, CertGetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptMsgClose, CertOpenStore, CryptMsgUpdate, CryptMsgOpenToDecode, CryptSignMessage, CertCloseStore, CryptVerifyDetachedMessageSignature, CryptDecodeObject, CertFindExtension, CertGetCertificateChain, CertGetEnhancedKeyUsage

credui.dll: CredUIPromptForCredentialsW, CredUIParseUserNameW

CRYPTUI.dll: CryptUIDlgViewCertificateW

ntdll.dll: RtlInitializeCriticalSection, NtOpenFile, RtlInitUnicodeString, VerSetConditionMask, RtlUnwind

WINHTTP.dll: WinHttpCloseHandle, WinHttpOpen, WinHttpConnect, WinHttpOpenRequest, WinHttpSendRequest, WinHttpQueryOption

Secur32.dll: QuerySecurityPackageInfoW, FreeContextBuffer, GetUserNameExW

NETAPI32.dll: NetGetJoinInformation, NetApiBufferFree

ExifTool:

file metadata

CharacterSet: Unicode

CodeSize: 332800

CompanyName: Microsoft Corporation

EntryPoint: 0x35616

FileDescription: Remote Desktop Connection

FileFlagsMask: 0x003f

FileOS: Windows NT 32-bit

FileSize: 662 kB

FileSubtype: 0

FileType: Win32 EXE

FileVersion: 6.0.6001.18000 (longhorn_rtm.080118-1840)

FileVersionNumber: 6.0.6001.18000

ImageVersion: 6.0

InitializedDataSize: 348160

InternalName: mstsc.exe

LanguageCode: English (U.S.)

LegalCopyright: Microsoft Corporation. All rights reserved.

LinkerVersion: 8.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 6.0

ObjectFileType: Executable application

OriginalFilename: mstsc.exe

PEType: PE32

ProductName: Microsoft Windows Operating System

ProductVersion: 6.0.6001.18000

ProductVersionNumber: 6.0.6001.18000

Subsystem: Windows GUI

SubsystemVersion: 5.1

TimeStamp: 2008:01:19 07:01:43+01:00

UninitializedDataSize: 0

[Hobbit_Pizza]

I also see now that Disk 2 which wants to be initialized in Disk Management Console is listed as Uknown, and is not my OS or Data drive.

If I right click on properties it says Config Disk SCSI Disk Device.

Not sure what this is or what I should do with it.

[Hobbit_Pizza]

Also, Malwarebytes completed a Full Scan and found nothing.

[negster22]

Thanks for the file upload.

Things are looking much better now. Your scans are clean.

Apart from your unknown disk problem, there are a couple things I am concerned about still.

These system files were created or modified on 10-21 - did you run sfc /scannow, "expand" them for your XP CD, or do a Repair install to repair/replace them? In other words, do you know why these files have been altered? I am wondering if TDSSKiller replace them since you ran it on 10-21.

2010-10-21 04:20 . 2008-04-14 07:10 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys

2010-10-21 03:38 . 2010-10-21 03:38 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2010-10-21 03:38 . 2010-10-21 03:38 210304 ----a-w- c:\windows\system32\drivers\m5288.sys

2010-10-21 03:38 . 2010-10-21 03:38 990208 ----a-w- c:\windows\system32\syssetup.dll

Combofix reports that c:\windows\system32\sfcfiles.dll failed signature checking even though I see it's the correct size and it's been scanned at VT with negative results.

Do you have your XP CD or another computer with same OS installed (XP Pro) to source these files from?

You can remove this folder:

C:\Documents and Settings\User\Application Data\Giylxe

Open a command prompt by clicking start -> run -> type cmd and click OK

When the Command Console Opens type the following and then hit Enter:

cd\

You should now be in the root directory C:\ and see the following:

C:\>

Type the following and then hit Enter:

dir /a sigcheck.exe

If sigcheck.exe is found, please tell me what directory it's located in (ie C:\Windows\system32).

-----------

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Approve the installation of the ActiveX control that's required to enable scanning
  
• Make sure the box to
  • Remove found threats. is CHECKED!!
    
  • Click "Start"
    

  [*]Allow the definition data base to install

  [*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

[Hobbit_Pizza]

These system files were created or modified on 10-21 - did you run sfc /scannow, "expand" them for your XP CD, or do a Repair install to repair/replace them? In other words, do you know why these files have been altered? I am wondering if TDSSKiller replace them since you ran it on 10-21.

Yes I attempted a repair when I was still getting the BSOD.

You can remove this folder:

C:\Documents and Settings\User\Application Data\Giylxe

This folder does not exist.

If sigcheck.exe is found, please tell me what directory it's located in (ie C:\Windows\system32).

It was not found.

Eset Online Scanner found nothing, I accidentally deleted it's files upon completing the scan.

[Hobbit_Pizza]

Also Disk 2 appears to be related to my external, though it never did this before.

Disk 2 / Config Disk SCSI Disk Device/ Not initialized

It disappears when I unplug my external Mirror. :/

[negster22]

That explains the mystery with those system files and why sfcfiles.dll is failing sigcheck. Now, we won't need to run sigcheck on them which is why I originally asked you to locate it on your system.

The good news is all your scans are coming up clean and your bootkit infection is cleared.

However, the residual effect on your external HD is something I've never encountered before:

I also see now that Disk 2 which wants to be initialized in Disk Management Console is listed as Uknown, and is not my OS or Data drive.

If I right click on properties it says Config Disk SCSI Disk Device.

There is very little "out there" to troubleshoot that message. I did find this:

http://www.datasheets.org.uk/datasheet-pdf...SA00179923.html

Note: If an external storage enclosure (such as the SV2000) is connected to the external SATA ports of the RAID controller, one or more additional disk devices may appear with a name of "Config Disk SCSI Disk Device" and a red indicator to show that it is not available. This is normal behavior for Windows, and those disk items should be ignored.

Examining the TDSSKiller log, indicates that HardDisk2 (your external drive) was the one on which the MBR was infected and "cured":

2010/10/21 23:29:41.0718 Detected object count: 1

2010/10/21 23:37:56.0343 \HardDisk2\MBR - will be cured after reboot <===

2010/10/21 23:37:56.0343 Rootkit.Win32.TDSS.tdl4(\HardDisk2\MBR) - User select action: Cure

2010/10/21 23:38:04.0359 Deinitialize success

The only think I can think of doing to try to eliminate that message is booting to XP CD or Recovery Console, and running fixmbr on that device:

fixmbr \Device\HardDisk1

Reference:

http://www.microsoft.com/resources/documen...r.mspx?mfr=true

But, if the file system on that drive is fully accessible I hesitate to have You do that, since it probably wouldn't solve the problem.

You could create a topic on this forum that deals with Hardware - Hard drive Problems:

http://spywarehammer.com/simplemachinesfor....php?board=47.0

[Hobbit_Pizza]

Since I had run a repair when attempting to fix the BSOD, it appeared that Internet Explorer couldn't start, neither could Windows Media Player.

I reinstalled IE8 & WMP11, things seemed to work fine.

I ran Microsoft Update just now, and it had a very long list of important Updates, and some Optional.

I chose to download and install them all.

After rebooting, I cannot communicate with the Internet. I can't ping google.com or access any website in IE8.

I can however communicate with all computers on my local network.

I am currently using the problem computer to Remote Desktop another computer and post this message.

:/

I tried winsockfixxp and no bueno.

[negster22]

That is odd that this hapened after installing updates.

Have you tried:

From command prompt :

netsh winsock reset catalog

IPCONFIG /release

IPCONFIG /renew

IPCONFIG /flushdns

IPCONFIG /registerdns

Also, try disabling your firewall and only enabling the Windows firewall.

[Hobbit_Pizza]

Tried all of the ipconfig commands you recommended, no dice.

I am still unable to ping and resolve website names from a command prompt.

Outlook cannot contact any servers.

Internet Explorer cannot resolve sites.

Strange that I have local connectivity.

[Hobbit_Pizza]

So I tried everything I could think of with no results.

I decided to do another Repair install...and voila!

Then I did all the Microsoft Updates again, and everything installed 100%.

I have internet again!

Only pesky thing left is that extra scsi device in disk management console...I could care less.

Thanks for all your help Negster22!

Also, any recommendations on AV?

I'm running symantec antivirus 10.0 at the moment...

[negster22]

I figured that You would work out your network connectivity problem while I was away for the weekend! Great Job, and You're Welcome!!!

Here are two free AV's that I highly recommend! Please understand that it's very important to have only one Antivirus active on your system at a time or severe system instability issues can result.

Microsoft Security Essentials

http://www.microsoft.com/security_essentials/

Avira Antivir

http://www.avira.com/en/avira-free-antivirus

I use ESET Smart Security (registered version), and it's very effective.

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 22, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 22, then follow these steps:

1. Download the latest JRE version clicking the "Agree and Start Free Download" button.

2. Save the installer to your desktop.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform

7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.

8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

If I asked you to download and run an ARK (Antirootkit program)such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

• Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  
• Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)
  

If I asked You to download TDSSKiller or MBRCheck, please remove those programs from your desktop.

To uninstall Combofix:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\ComboFix.exe" /uninstall

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• Flush your system restore points and create a new restore point.
  
• Rehide your system files and folders
  
• Reset your system clock
  

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[Hobbit_Pizza]

Thanks Negster22,

I'll finish up with your suggestions when I return home.

Between:

Microsoft Security Essentials, Avira Antivir, and ESET Smart Security, which has the best balance between affecting system performance and providing protection? i.e. Good protection, but not a resource hog. That is why I've been using Symantec Antivirus for so long, compared to retail products and security suites that use a lot of CPU & Ram. :/ I'm no longer happy with Symantec, so I would like to try one of your suggestions...I just don't want my system taken over by "protection" software like Norton or Mcafee tend to do.

[negster22]

I can appreciate what You say about bloatware because I feel exactly the same way. All three of the products I mentioned are light on resource usage which is a primary reason I recommend them.

Microsoft Security Essentials (MSE) is very light on resources, because one of its development criterion was that it had to be able to run well on Windows 7 Netbooks which have limited hardware resources. Of course, it integrates with Windows super well because it is a Microsoft Product. MSE shares the identical database and scanning engine as Forefront Security, Microsoft's paid Business and Corporate security solution. An important consideration: MSE's boasts a very low rate of false positive detections. Microsoft is a stickler about this!!

I can tell You that when I submit suspicious samples to VirusTotal, MSE, Antivir and ESET ALL come out on top when it comes to threat detection.

Here is some more info:

MSE

http://en.wikipedia.org/wiki/Microsoft_Security_Essentials

Here are some independent testing comparisons:

Top 10:

http://www.maximumpc.com/article/features/kill?page=0,1

AV-Test.org

http://www.av-test.org/certifications

AV-Comparatives.org:

http://www.av-comparatives.org/images/stor...vc_report26.pdf

I have been using ESET for years (first Nod32 Antivirus and then ESET System Security) and I am extremely satisfied with it. It saved me a number of times when it quickly clobbered samples that I mistakenly allowed to cross my test machine's Virtual machine barrier. I have nothing bad to say about it at all.

Until MSE came along, I regularly installed Antivir Home Free on my clients' computers because it is a low-resource and highly effective antivirus solution that is known to seamlessly work side by side with MBAM without any interference.

I realize I haven't given you a conclusive answer but if I was in your position, I'd install MSE and if after using it I found something that I didn't like about it, I'd give Avira or ESET a try. If cost isn't a consideration, I'd go with ESET over Avira (which has a "nag" screen (window) that tries to persuade you to upgrade to its paid version).

[Hobbit_Pizza]

I guess I'm still infected somehow...

Everytime I boot up, immediately after login, Symantec Antivirus reports that it has quarantined the following:

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul

It classifies the risk as "Downloader"

Wierd thing is that I've never had Firefox on this computer, or any other Mozilla products for that matter.

I've even deleted the Mozilla Firefox folder from Program Files, but it gets created again each time.

Please advise.