Jump to content

Infected PC won't run any antivirus or scan


bunruh

Recommended Posts

Hello, thanks in advance for the help you provide!

I started down the path from "I'm infected - What do I do now?" but I can't get any antivirus programs to run correctly (Panda Cloud, or Avira) and I can't get Malwarebytes to run either. So I skipped to the Deffogger, DDS, GMER steps. I ran DeFogger and DDS but GMER won't run, when I click the Scan button it just disappears and no scan is done. below are the DDS.txt and Attach.txt contents.

Thanks,

Bryan U.

DDS.txt

DDS (Ver_10-11-03.01) - NTFSx86

Run by Compaq_Owner at 10:31:02.34 on Thu 11/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.379 [GMT -5:00]

AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe

C:\Documents and Settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Compaq_Owner.COMPAQ\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.facemoods.com/?a=antn

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://start.facemoods.com/?a=antn&s={searchTerms}&f=4

mURLSearchHooks: H - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Internet Explorer Plugin: {3f7df0a5-ee85-4f8d-bf0d-9a6579e54f66} - oxia7.dll

BHO: {51771a02-f117-4917-a014-02db9095f856} - Internet Explorer Plugin

BHO: Internet Explorer Plugin: {695660b2-a29a-4ba2-b6ba-9467371a2af6} - usmkppl.dll

BHO: {77dc0baa-3235-4ba9-8be8-aa9eb678fa02} - ADC PlugIn

BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Internet Explorer Plugin: {dfc1a8d5-f5a4-453d-bb54-0a886678b9b0} - jnjvcpxk1.dll

BHO: Internet Explorer Plugin: {f504486f-d95f-4098-a5fe-a510bbeee556} - pbutk.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [TkBellExe] //~c:\program files\common files\real\update_ob\realsched.exe -osboot

mRun: [iTunesHelper] //~c:\program files\itunes\ituneshelper.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [sMSERIAL] //~sm56hlpr.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar

mRun: [Panda Security Toolbar Antiphishing] "c:\documents and settings\all users\application data\panda security toolbar antiphishing\panda2_0dn.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mPolicies-system: DisableTaskMgr = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Notify: setcell - setcell.dll

SSODL: bibiwaluk - {23890fbe-a206-400f-8a89-f094b6efd9d9} - No File

SSODL: vimazodag - {b43f8a73-c416-4add-91f9-33f0e5a270ca} - No File

SSODL: yeruzijep - {8b87616f-ccd9-4076-9873-1b724da2f16e} - No File

SSODL: fagoziruy - {c4172249-1f32-4832-8982-80b4f33ff7f0} - No File

SSODL: layezewan - {f1f47ee6-2383-4e1a-84b3-d4455fd87bdd} - No File

SSODL: wuyagihes - {f012e104-dfa5-4939-8c39-b827ce01ae78} - No File

STS: {23890fbe-a206-400f-8a89-f094b6efd9d9}: gahurihor

STS: {b43f8a73-c416-4add-91f9-33f0e5a270ca}: gahurihor

STS: {8b87616f-ccd9-4076-9873-1b724da2f16e}: mujuzedij

STS: {c4172249-1f32-4832-8982-80b4f33ff7f0}: tokatiluy

STS: {f1f47ee6-2383-4e1a-84b3-d4455fd87bdd}: tokatiluy

STS: {f012e104-dfa5-4939-8c39-b827ce01ae78}: kupuhivus

LSA: Notification Packages = scecli fopinope.dll

mASetup: {11522865-037B-4E24-99D6-B43A3782302F} - rundll32 uaihv27.dll,laspi

mASetup: {1DFC0CB0-CE09-4E94-BD01-91C2E9D2A7CA} - rundll32 oxia7.dll,laspi

mASetup: {3513A6A1-9E64-411E-A763-BE8CF8F8F1BC} - rundll32 iwauqng5.dll,laspi

mASetup: {7D94FE9D-0031-4911-9D51-2A24CB88120C} - rundll32 pbutk.dll,laspi

mASetup: {C1DDC416-23B2-4876-A75C-2D1902CCD0C3} - rundll32 usmkppl.dll,laspi

mASetup: {D44AAFDA-1AF4-45AA-9813-6337EDFA496C} - rundll32 jnjvcpxk1.dll,laspi

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-1 28552]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-2 11608]

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 129992]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-2 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-2 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-2 60936]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111624]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112456]

S2 AdbUpd;Adobe Update Service; [x]

S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9 140608]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-11-02 20:59:40 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\Avira

2010-11-02 20:55:03 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-02 20:55:02 -------- d-----w- c:\program files\Avira

2010-11-02 20:55:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-11-02 17:50:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-02 17:50:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-02 02:41:35 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-11-01 23:41:17 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\Malwarebytes

2010-11-01 23:41:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 23:41:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-01 23:26:40 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\SurfSecret Privacy Suite

2010-11-01 23:21:57 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\Panda Security

2010-11-01 23:21:12 -------- d-----w- c:\docume~1\compaq~1.com\locals~1\applic~1\panda2_0dn

2010-11-01 23:21:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security Toolbar Antiphishing

2010-11-01 23:21:09 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\pandasecuritytb

2010-11-01 23:20:17 -------- d-----w- c:\program files\Panda Security

2010-11-01 23:20:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security

2010-10-31 04:28:25 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\facemoods.com

2010-10-25 16:58:36 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\AskToolbar

2010-10-25 04:52:43 -------- d-----w- c:\docume~1\compaq~1.com\locals~1\applic~1\AskToolbar

2010-10-25 04:21:15 -------- d-----w- c:\program files\Ask.com

2010-10-13 01:26:57 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-13 01:26:56 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-10-13 01:26:44 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2005-06-22 00:40:56 774144 ----a-w- c:\program files\RngInterstitial.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: SAMSUNG_SP0802N rev.TK200-04 -> \Device\Ide\PciIde1Channel0-2

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF7E9411B]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf7e97888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x833773F8]

3 CLASSPNP[0xF7CEFFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x83219878]

\Driver\Disk[0x82D25338] -> IRP_MJ_CREATE -> 0xF7E9411B

error: Read The system cannot find the file specified.

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }

detected hooks:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_SP0802N_________________________TK200-04#30534a30324a5830374334353538202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

\Driver\atapi DriverStartIo -> 0x8337D292

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

Filesystem trace:

called modules: ntkrnlpa.exe hal.dll fltmgr.sys PSINFile.sys avgntflt.sys sr.sys Ntfs.sys

c:\windows\system32\drivers\PSINFile.sys Panda Security, S.L. Panda Cloud Antivirus

c:\windows\system32\drivers\avgntflt.sys Avira GmbH AntiVir Workstation

1 ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82CFD020]

3 fltmgr[0xF7B1BE95] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x832E7DD0]

5 sr[0xF7B0B870] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x832E7520]

7 ntkrnlpa[0x80574DCB] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82CFD020]

9 fltmgr[0xF7B1C098] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x832E7DD0]

11 sr[0xF7B06453] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x832E7520]

Registry trace:

called modules: ntkrnlpa.exe hal.dll >>UNKNOWN [0x82EBF3F0]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x10; PUSH ESI; XOR ESI, ESI; CMP [0x82ec5030], ESI; JZ 0x14b; CALL [0x82ec401c]; }

============= FINISH: 10:33:16.65 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-03.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 12/11/2009 11:48:03 PM

System Uptime: 11/4/2010 10:28:14 AM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Salmon

Processor: AMD Sempron Processor 3000+ | Socket 754 | 1808/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 69 GiB total, 30.058 GiB free.

D: is Removable

E: is Removable

F: is Removable

G: is Removable

H: is FIXED (FAT32) - 5 GiB total, 0.757 GiB free.

I: is CDROM ()

J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/18/2010 9:15:45 PM - System Checkpoint

RP2: 5/19/2010 3:00:21 AM - Software Distribution Service 3.0

RP3: 5/20/2010 3:00:15 AM - Software Distribution Service 3.0

RP4: 5/21/2010 3:00:18 AM - Software Distribution Service 3.0

RP5: 5/22/2010 12:01:47 AM - Software Distribution Service 3.0

RP6: 5/22/2010 3:00:14 AM - Software Distribution Service 3.0

RP7: 5/22/2010 12:06:55 PM - Software Distribution Service 3.0

RP8: 5/23/2010 3:00:15 AM - Software Distribution Service 3.0

RP9: 5/24/2010 3:00:20 AM - Software Distribution Service 3.0

RP10: 5/25/2010 9:20:54 AM - Software Distribution Service 3.0

RP11: 5/26/2010 3:00:20 AM - Software Distribution Service 3.0

RP12: 5/27/2010 3:00:18 AM - Software Distribution Service 3.0

RP13: 5/28/2010 10:12:09 AM - Software Distribution Service 3.0

RP14: 5/29/2010 3:00:18 AM - Software Distribution Service 3.0

RP15: 5/29/2010 4:26:09 PM - Software Distribution Service 3.0

RP16: 5/29/2010 7:09:24 PM - Software Distribution Service 3.0

RP17: 5/30/2010 3:00:17 AM - Software Distribution Service 3.0

RP18: 5/30/2010 3:19:35 PM - Software Distribution Service 3.0

RP19: 6/7/2010 11:05:09 AM - Software Distribution Service 3.0

RP20: 6/7/2010 1:30:16 PM - Software Distribution Service 3.0

RP21: 6/7/2010 8:47:07 PM - Software Distribution Service 3.0

RP22: 6/8/2010 9:05:40 PM - Software Distribution Service 3.0

RP23: 6/9/2010 12:59:06 PM - Software Distribution Service 3.0

RP24: 6/18/2010 4:34:51 PM - Software Distribution Service 3.0

RP25: 6/19/2010 1:38:59 PM - Software Distribution Service 3.0

RP26: 7/6/2010 11:37:38 PM - Software Distribution Service 3.0

RP27: 7/11/2010 11:38:43 PM - Software Distribution Service 3.0

RP28: 7/16/2010 10:35:18 PM - Software Distribution Service 3.0

RP29: 7/16/2010 10:44:49 PM - Avg Update

RP30: 7/16/2010 11:14:20 PM - Software Distribution Service 3.0

RP31: 7/17/2010 10:25:40 PM - Software Distribution Service 3.0

RP32: 7/23/2010 11:53:36 PM - Software Distribution Service 3.0

RP33: 7/24/2010 12:23:16 AM - Software Distribution Service 3.0

RP34: 7/24/2010 6:53:47 PM - Software Distribution Service 3.0

RP35: 7/25/2010 1:06:51 AM - Software Distribution Service 3.0

RP36: 7/26/2010 1:22:36 AM - Software Distribution Service 3.0

RP37: 7/28/2010 6:03:21 PM - Software Distribution Service 3.0

RP38: 7/29/2010 12:09:15 PM - Software Distribution Service 3.0

RP39: 8/8/2010 5:29:30 PM - Software Distribution Service 3.0

RP40: 8/9/2010 3:25:09 PM - Software Distribution Service 3.0

RP41: 8/10/2010 1:46:39 PM - Software Distribution Service 3.0

RP42: 8/12/2010 12:27:28 PM - Software Distribution Service 3.0

RP43: 8/15/2010 3:00:21 AM - Software Distribution Service 3.0

RP44: 8/16/2010 3:00:16 AM - Software Distribution Service 3.0

RP45: 8/16/2010 3:04:50 AM - Software Distribution Service 3.0

RP46: 8/16/2010 10:37:31 PM - Software Distribution Service 3.0

RP47: 8/16/2010 10:42:51 PM - Installed Java 6 Update 21

RP48: 8/16/2010 10:48:57 PM - Avg Update

RP49: 8/17/2010 3:00:16 AM - Software Distribution Service 3.0

RP50: 8/17/2010 6:04:37 PM - Software Distribution Service 3.0

RP51: 8/18/2010 3:00:19 AM - Software Distribution Service 3.0

RP52: 8/19/2010 3:03:24 AM - Software Distribution Service 3.0

RP53: 8/20/2010 3:00:15 AM - Software Distribution Service 3.0

RP54: 8/21/2010 3:30:04 AM - Software Distribution Service 3.0

RP55: 8/22/2010 3:00:18 AM - Software Distribution Service 3.0

RP56: 8/23/2010 10:36:07 PM - Software Distribution Service 3.0

RP57: 8/24/2010 3:00:24 AM - Software Distribution Service 3.0

RP58: 8/24/2010 10:48:57 PM - Software Distribution Service 3.0

RP59: 8/26/2010 3:18:24 PM - Software Distribution Service 3.0

RP60: 8/28/2010 6:51:27 PM - Software Distribution Service 3.0

RP61: 8/29/2010 3:00:25 AM - Software Distribution Service 3.0

RP62: 8/30/2010 3:00:21 AM - Software Distribution Service 3.0

RP63: 8/31/2010 3:51:42 PM - Software Distribution Service 3.0

RP64: 9/1/2010 3:00:16 AM - Software Distribution Service 3.0

RP65: 9/2/2010 3:00:16 AM - Software Distribution Service 3.0

RP66: 9/3/2010 3:00:16 AM - Software Distribution Service 3.0

RP67: 9/4/2010 10:15:50 PM - Software Distribution Service 3.0

RP68: 9/5/2010 3:00:22 AM - Software Distribution Service 3.0

RP69: 9/6/2010 1:16:05 AM - Software Distribution Service 3.0

RP70: 9/6/2010 1:03:39 PM - Software Distribution Service 3.0

RP71: 9/7/2010 3:00:21 AM - Software Distribution Service 3.0

RP72: 9/8/2010 3:00:26 AM - Software Distribution Service 3.0

RP73: 9/9/2010 3:00:19 AM - Software Distribution Service 3.0

RP74: 9/10/2010 3:00:20 AM - Software Distribution Service 3.0

RP75: 9/11/2010 9:24:05 AM - Software Distribution Service 3.0

RP76: 9/12/2010 3:00:22 AM - Software Distribution Service 3.0

RP77: 9/13/2010 3:00:18 AM - Software Distribution Service 3.0

RP78: 9/14/2010 3:00:18 AM - Software Distribution Service 3.0

RP79: 9/15/2010 3:34:16 AM - Software Distribution Service 3.0

RP80: 9/16/2010 3:00:22 AM - Software Distribution Service 3.0

RP81: 9/18/2010 5:40:49 PM - Software Distribution Service 3.0

RP82: 9/18/2010 8:29:29 PM - Software Distribution Service 3.0

RP83: 9/19/2010 9:38:17 AM - Software Distribution Service 3.0

RP84: 9/20/2010 3:00:21 AM - Software Distribution Service 3.0

RP85: 9/21/2010 3:00:22 AM - Software Distribution Service 3.0

RP86: 9/22/2010 3:00:21 AM - Software Distribution Service 3.0

RP87: 9/23/2010 6:39:45 AM - Software Distribution Service 3.0

RP88: 9/23/2010 9:40:25 PM - Avg Update

RP89: 9/23/2010 9:41:01 PM - Avg Update

RP90: 9/24/2010 3:00:20 AM - Software Distribution Service 3.0

RP91: 9/25/2010 3:00:14 AM - Software Distribution Service 3.0

RP92: 9/26/2010 3:00:18 AM - Software Distribution Service 3.0

RP93: 9/27/2010 3:00:22 AM - Software Distribution Service 3.0

RP94: 9/28/2010 3:00:16 AM - Software Distribution Service 3.0

RP95: 9/29/2010 11:19:47 PM - Software Distribution Service 3.0

RP96: 10/3/2010 1:09:16 PM - Software Distribution Service 3.0

RP97: 10/4/2010 3:00:18 AM - Software Distribution Service 3.0

RP98: 10/4/2010 6:34:50 PM - Avg Update

RP99: 10/4/2010 9:32:00 PM - Software Distribution Service 3.0

RP100: 10/5/2010 8:26:22 PM - Software Distribution Service 3.0

RP101: 10/6/2010 8:24:20 AM - Software Distribution Service 3.0

RP102: 10/7/2010 3:00:20 AM - Software Distribution Service 3.0

RP103: 10/8/2010 7:50:05 AM - Software Distribution Service 3.0

RP104: 10/8/2010 10:31:34 PM - Software Distribution Service 3.0

RP105: 10/9/2010 8:59:14 AM - Software Distribution Service 3.0

RP106: 10/10/2010 5:55:13 AM - Software Distribution Service 3.0

RP107: 10/11/2010 3:00:21 AM - Software Distribution Service 3.0

RP108: 10/12/2010 7:31:55 AM - Software Distribution Service 3.0

RP109: 10/13/2010 3:00:30 AM - Software Distribution Service 3.0

RP110: 10/14/2010 7:42:22 PM - Software Distribution Service 3.0

RP111: 10/15/2010 1:03:05 AM - Software Distribution Service 3.0

RP112: 10/15/2010 11:44:24 AM - Software Distribution Service 3.0

RP113: 10/16/2010 9:19:44 AM - Software Distribution Service 3.0

RP114: 10/17/2010 10:19:54 PM - Software Distribution Service 3.0

RP115: 10/18/2010 6:55:34 AM - Software Distribution Service 3.0

RP116: 10/19/2010 3:00:14 AM - Software Distribution Service 3.0

RP117: 10/21/2010 12:04:40 AM - Software Distribution Service 3.0

RP118: 10/21/2010 10:21:20 AM - Software Distribution Service 3.0

RP119: 10/22/2010 1:35:32 PM - Software Distribution Service 3.0

RP120: 10/23/2010 3:00:22 AM - Software Distribution Service 3.0

RP121: 10/24/2010 1:11:51 PM - Software Distribution Service 3.0

RP122: 10/25/2010 3:00:22 AM - Software Distribution Service 3.0

RP123: 10/27/2010 12:24:28 AM - Software Distribution Service 3.0

RP124: 10/30/2010 9:22:17 PM - Software Distribution Service 3.0

RP125: 10/31/2010 3:00:23 AM - Software Distribution Service 3.0

RP126: 11/1/2010 3:00:23 AM - Software Distribution Service 3.0

RP127: 11/1/2010 6:27:22 PM - Removed AVG Free 9.0

RP128: 11/1/2010 6:29:24 PM - Installed AVG Free 9.0

RP129: 11/1/2010 9:17:04 PM - Software Distribution Service 3.0

RP130: 11/1/2010 9:38:33 PM - Software Distribution Service 3.0

RP131: 11/2/2010 11:12:06 AM - Software Distribution Service 3.0

RP132: 11/2/2010 2:59:24 PM - Software Distribution Service 3.0

RP133: 11/2/2010 3:55:02 PM - Avira AntiVir Personal - 11/2/2010 15:54

RP134: 11/4/2010 9:32:18 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Acrobat - Reader 6.0.2 Update

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 6.0.1

Agere Systems PCI Soft Modem

Antivirus 2010

Ask Toolbar

Avira AntiVir Personal - Free Antivirus

Blackhawk Striker 2 from Compaq (remove only)

Blasterball 2 from Compaq (remove only)

Blasterball 2 Remix from Compaq (remove only)

Bounce Symphony from Compaq (remove only)

Crystal Maze from Compaq (remove only)

Easy Internet Sign-up

Help and Support Additions

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Product Detection

HpSdpAppCoreApp

InterVideo WinDVD Player

iTunes

Java 2 Runtime Environment, SE v1.4.2_03

Java Auto Updater

Java 6 Update 21

KBD

LimeWire 5.5.16

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0

Microsoft Office Standard Edition 2003

Microsoft Plus! Dancer LE

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Works

Motorola SM56 Speakerphone Modem

MSN

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Orbital from Compaq (remove only)

Overball from Compaq (remove only)

Panda ActiveScan 2.0

Panda Cloud Antivirus

Panda Identity Protect 3.0.45

Panda Security Toolbar

Panda Security Toolbar URL Filtering

PC-Doctor for Windows

Polar Bowler from Compaq (remove only)

Polar Golfer from Compaq (remove only)

PS2

QuickTime

RealPlayer

Registry Life version 1.24

Road Ready Streetwise from Compaq (remove only)

Roblox for Compaq_Owner

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Shrek 2 Ogre Bowler from Compaq (remove only)

SiS VGA Utilities

Sonic Express Labeler

Sonic RecordNow!

Super Granny from Compaq (remove only)

Tradewinds from Compaq (remove only)

Update for Windows Internet Explorer 8 (KB975364)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB961503)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Backup Utility

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

11/2/2010 3:53:59 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .

11/2/2010 3:53:59 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\COMPAQ~1.COM\LOCALS~1\Temp\RarSFX1\redist.dll. Reference error message: The operation completed successfully. .

11/2/2010 3:53:59 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

11/1/2010 9:46:34 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).

11/1/2010 8:52:46 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The system cannot find the file specified.

11/1/2010 8:52:46 PM, error: Service Control Manager [7000] - The Panda Cloud Antivirus Service service failed to start due to the following error: Access is denied.

11/1/2010 8:52:46 PM, error: Service Control Manager [7000] - The Adobe Update Service service failed to start due to the following error: The system cannot find the path specified.

11/1/2010 6:25:02 PM, error: Service Control Manager [7031] - The Panda Cloud Antivirus Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

11/1/2010 3:03:27 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447).

10/31/2010 5:19:28 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86.

10/30/2010 11:19:45 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

Link to post
Share on other sites

:D

Please don't attach the scan results, use Copy/Paste

Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

If the tool won't run from the desktop, try running it from the USB device.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites

LDTate, below is the text from TDSSKiller log file:

2010/11/05 22:07:40.0937 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/05 22:07:40.0937 ================================================================================

2010/11/05 22:07:40.0937 SystemInfo:

2010/11/05 22:07:40.0937

2010/11/05 22:07:40.0937 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/05 22:07:40.0937 Product type: Workstation

2010/11/05 22:07:40.0937 ComputerName: COMPAQ

2010/11/05 22:07:40.0937 UserName: Compaq_Owner

2010/11/05 22:07:40.0937 Windows directory: C:\WINDOWS

2010/11/05 22:07:40.0937 System windows directory: C:\WINDOWS

2010/11/05 22:07:40.0937 Processor architecture: Intel x86

2010/11/05 22:07:40.0937 Number of processors: 1

2010/11/05 22:07:40.0937 Page size: 0x1000

2010/11/05 22:07:40.0937 Boot type: Normal boot

2010/11/05 22:07:40.0937 ================================================================================

2010/11/05 22:07:41.0218 Initialize success

2010/11/05 22:07:48.0687 ================================================================================

2010/11/05 22:07:48.0687 Scan started

2010/11/05 22:07:48.0687 Mode: Manual;

2010/11/05 22:07:48.0687 ================================================================================

2010/11/05 22:07:50.0031 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/05 22:07:50.0234 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/05 22:07:50.0531 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/05 22:07:50.0718 AFD (3d57e667e01b695a298dc553761742a3) C:\WINDOWS\System32\drivers\afd.sys

2010/11/05 22:07:50.0718 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3d57e667e01b695a298dc553761742a3, Fake md5: 7e775010ef291da96ad17ca4b17137d7

2010/11/05 22:07:50.0734 AFD - detected Forged file (1)

2010/11/05 22:07:50.0968 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/11/05 22:07:51.0484 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/05 22:07:51.0859 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/05 22:07:52.0281 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/05 22:07:52.0437 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/05 22:07:52.0671 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/05 22:07:52.0859 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/05 22:07:53.0046 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/11/05 22:07:53.0203 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/11/05 22:07:53.0359 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/11/05 22:07:53.0546 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/05 22:07:53.0703 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/05 22:07:53.0953 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/05 22:07:54.0125 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/05 22:07:54.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/05 22:07:55.0203 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/05 22:07:55.0406 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/05 22:07:55.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/05 22:07:55.0765 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/05 22:07:55.0937 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/05 22:07:56.0171 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/05 22:07:56.0359 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/05 22:07:56.0531 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/05 22:07:56.0703 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/05 22:07:56.0859 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/05 22:07:57.0015 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/05 22:07:57.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/05 22:07:57.0343 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/05 22:07:57.0484 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

2010/11/05 22:07:57.0625 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/05 22:07:57.0765 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/05 22:07:57.0953 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/05 22:07:58.0546 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/05 22:07:58.0859 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/05 22:07:59.0046 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/05 22:07:59.0296 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/05 22:07:59.0453 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/05 22:07:59.0609 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/05 22:07:59.0750 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/05 22:07:59.0906 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/05 22:08:00.0078 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/05 22:08:00.0250 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/05 22:08:00.0421 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/05 22:08:00.0578 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/05 22:08:00.0734 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/05 22:08:00.0890 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/05 22:08:01.0093 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/05 22:08:01.0359 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/05 22:08:01.0531 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/05 22:08:01.0703 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/11/05 22:08:01.0843 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/05 22:08:01.0984 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/05 22:08:02.0140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/05 22:08:02.0375 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/05 22:08:02.0578 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/05 22:08:02.0765 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/05 22:08:02.0921 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/05 22:08:03.0093 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/05 22:08:03.0250 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/05 22:08:03.0437 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/05 22:08:03.0593 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/05 22:08:03.0781 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/05 22:08:03.0953 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/05 22:08:04.0125 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/05 22:08:04.0281 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/05 22:08:04.0437 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/05 22:08:04.0593 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/05 22:08:04.0734 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/05 22:08:04.0937 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/05 22:08:05.0109 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/05 22:08:05.0312 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/05 22:08:05.0531 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/05 22:08:05.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/05 22:08:05.0843 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/05 22:08:06.0000 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/05 22:08:06.0171 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/05 22:08:06.0343 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/05 22:08:06.0500 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/05 22:08:06.0640 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/05 22:08:06.0812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/05 22:08:07.0015 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/05 22:08:07.0187 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/05 22:08:07.0781 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/05 22:08:07.0937 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/05 22:08:08.0109 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/11/05 22:08:08.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/05 22:08:08.0421 PSINAflt (469943fb4398df5662dd5d06193c0bb0) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys

2010/11/05 22:08:08.0625 PSINFile (d5c75c5238c52f0c664d23a7ffe38a5c) C:\WINDOWS\system32\DRIVERS\PSINFile.sys

2010/11/05 22:08:08.0812 PSINKNC (3942d3cfab0545f599e6eff2b8a1aad2) C:\WINDOWS\system32\DRIVERS\psinknc.sys

2010/11/05 22:08:08.0984 PSINProc (d3730032f61fca2d2ae6a2daf90347b1) C:\WINDOWS\system32\DRIVERS\PSINProc.sys

2010/11/05 22:08:09.0171 PSINProt (7803cb196f872c7e359c5c71e0a9ac69) C:\WINDOWS\system32\DRIVERS\PSINProt.sys

2010/11/05 22:08:09.0328 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/05 22:08:09.0468 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/05 22:08:10.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/05 22:08:10.0171 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/05 22:08:10.0343 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/05 22:08:10.0484 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/05 22:08:10.0640 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/05 22:08:10.0796 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/05 22:08:11.0031 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/05 22:08:11.0296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/05 22:08:11.0546 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/05 22:08:11.0781 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/05 22:08:11.0953 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/05 22:08:12.0109 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/05 22:08:12.0406 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/11/05 22:08:12.0687 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2010/11/05 22:08:12.0890 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/11/05 22:08:13.0031 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2010/11/05 22:08:13.0187 SISNIC (5529b51aacff16fbdde4b34ff0af2b76) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2010/11/05 22:08:13.0359 smserial (bc871f7565c714252e836234043f77a5) C:\WINDOWS\system32\DRIVERS\smserial.sys

2010/11/05 22:08:13.0625 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/05 22:08:13.0781 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/05 22:08:13.0953 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/05 22:08:14.0140 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/11/05 22:08:14.0296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/05 22:08:14.0484 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/05 22:08:14.0984 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/05 22:08:15.0203 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/05 22:08:15.0437 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/05 22:08:15.0609 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/05 22:08:15.0765 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/05 22:08:16.0031 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/05 22:08:16.0328 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/05 22:08:16.0531 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/05 22:08:16.0828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/05 22:08:17.0062 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/05 22:08:17.0218 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/05 22:08:17.0375 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/05 22:08:17.0406 Suspicious service (NoAccess): vbma297a

2010/11/05 22:08:17.0546 vbma297a (a2e13ce027a5bd8c798039ae4559eec1) C:\WINDOWS\system32\drivers\vbma297a.sys

2010/11/05 22:08:17.0546 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma297a.sys. md5: a2e13ce027a5bd8c798039ae4559eec1

2010/11/05 22:08:17.0562 vbma297a - detected Locked service (1)

2010/11/05 22:08:17.0718 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/05 22:08:17.0859 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/05 22:08:18.0000 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/05 22:08:18.0218 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/05 22:08:18.0437 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/05 22:08:18.0781 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/05 22:08:18.0781 ================================================================================

2010/11/05 22:08:18.0781 Scan finished

2010/11/05 22:08:18.0781 ================================================================================

2010/11/05 22:08:18.0796 Detected object count: 3

2010/11/05 22:08:39.0515 Forged file(AFD) - User select action: Skip

2010/11/05 22:08:39.0515 Locked service(vbma297a) - User select action: Skip

2010/11/05 22:08:39.0531 \HardDisk0 - will be cured after reboot

2010/11/05 22:08:39.0531 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/11/05 22:08:45.0593 Deinitialize success

Link to post
Share on other sites

Here you go:

2010/11/06 09:58:55.0875 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/06 09:58:55.0875 ================================================================================

2010/11/06 09:58:55.0875 SystemInfo:

2010/11/06 09:58:55.0875

2010/11/06 09:58:55.0875 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/06 09:58:55.0875 Product type: Workstation

2010/11/06 09:58:55.0875 ComputerName: COMPAQ

2010/11/06 09:58:55.0875 UserName: Compaq_Owner

2010/11/06 09:58:55.0875 Windows directory: C:\WINDOWS

2010/11/06 09:58:55.0875 System windows directory: C:\WINDOWS

2010/11/06 09:58:55.0875 Processor architecture: Intel x86

2010/11/06 09:58:55.0875 Number of processors: 1

2010/11/06 09:58:55.0875 Page size: 0x1000

2010/11/06 09:58:55.0875 Boot type: Normal boot

2010/11/06 09:58:55.0875 ================================================================================

2010/11/06 09:58:56.0921 Initialize success

2010/11/06 09:59:04.0687 ================================================================================

2010/11/06 09:59:04.0687 Scan started

2010/11/06 09:59:04.0687 Mode: Manual;

2010/11/06 09:59:04.0687 ================================================================================

2010/11/06 09:59:06.0234 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/06 09:59:06.0421 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/06 09:59:06.0656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/06 09:59:06.0859 AFD (3d57e667e01b695a298dc553761742a3) C:\WINDOWS\System32\drivers\afd.sys

2010/11/06 09:59:06.0859 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3d57e667e01b695a298dc553761742a3, Fake md5: 7e775010ef291da96ad17ca4b17137d7

2010/11/06 09:59:06.0875 AFD - detected Forged file (1)

2010/11/06 09:59:07.0046 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/11/06 09:59:08.0171 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/06 09:59:09.0734 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/06 09:59:10.0906 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/06 09:59:11.0265 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/06 09:59:11.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/06 09:59:12.0171 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/06 09:59:12.0515 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/11/06 09:59:12.0875 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/11/06 09:59:13.0093 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/11/06 09:59:13.0437 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/06 09:59:13.0718 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/06 09:59:14.0218 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/06 09:59:14.0468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/06 09:59:14.0812 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/06 09:59:16.0171 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/06 09:59:16.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/06 09:59:16.0984 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/06 09:59:17.0343 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/06 09:59:17.0609 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/06 09:59:18.0140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/06 09:59:18.0453 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/06 09:59:18.0890 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/06 09:59:19.0125 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/06 09:59:19.0343 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/06 09:59:19.0515 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/06 09:59:19.0718 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/06 09:59:19.0875 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/06 09:59:20.0046 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

2010/11/06 09:59:20.0187 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/06 09:59:20.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/06 09:59:20.0500 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/06 09:59:20.0875 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/06 09:59:21.0171 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/06 09:59:21.0328 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/06 09:59:21.0578 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/06 09:59:21.0734 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/06 09:59:21.0953 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/06 09:59:22.0109 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/06 09:59:22.0359 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/06 09:59:22.0718 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/06 09:59:23.0031 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/06 09:59:23.0296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/06 09:59:23.0546 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/06 09:59:23.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/06 09:59:24.0031 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/06 09:59:24.0312 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/06 09:59:24.0734 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/06 09:59:24.0968 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/06 09:59:25.0156 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/11/06 09:59:25.0359 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/06 09:59:25.0593 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/06 09:59:25.0828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/06 09:59:26.0234 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/06 09:59:26.0484 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/06 09:59:26.0703 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/06 09:59:27.0000 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/06 09:59:27.0203 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/06 09:59:27.0484 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/06 09:59:27.0671 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/06 09:59:27.0937 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/06 09:59:28.0171 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/06 09:59:28.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/06 09:59:28.0718 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/06 09:59:28.0953 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/06 09:59:29.0171 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/06 09:59:29.0406 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/06 09:59:29.0703 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/06 09:59:30.0015 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/06 09:59:30.0218 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/06 09:59:30.0468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/06 09:59:30.0843 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/06 09:59:31.0062 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/06 09:59:31.0296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/06 09:59:31.0531 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/06 09:59:31.0812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/06 09:59:32.0000 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/06 09:59:32.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/06 09:59:32.0484 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/06 09:59:32.0703 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/06 09:59:33.0109 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/06 09:59:33.0343 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/06 09:59:34.0328 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/06 09:59:34.0562 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/06 09:59:34.0906 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/11/06 09:59:35.0328 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/06 09:59:35.0578 PSINAflt (469943fb4398df5662dd5d06193c0bb0) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys

2010/11/06 09:59:35.0828 PSINFile (d5c75c5238c52f0c664d23a7ffe38a5c) C:\WINDOWS\system32\DRIVERS\PSINFile.sys

2010/11/06 09:59:36.0093 PSINKNC (3942d3cfab0545f599e6eff2b8a1aad2) C:\WINDOWS\system32\DRIVERS\psinknc.sys

2010/11/06 09:59:36.0375 PSINProc (d3730032f61fca2d2ae6a2daf90347b1) C:\WINDOWS\system32\DRIVERS\PSINProc.sys

2010/11/06 09:59:36.0687 PSINProt (7803cb196f872c7e359c5c71e0a9ac69) C:\WINDOWS\system32\DRIVERS\PSINProt.sys

2010/11/06 09:59:36.0921 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/06 09:59:37.0140 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/06 09:59:38.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/06 09:59:38.0218 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/06 09:59:38.0453 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/06 09:59:38.0718 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/06 09:59:39.0078 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/06 09:59:39.0359 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/06 09:59:39.0609 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/06 09:59:39.0953 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/06 09:59:40.0406 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/06 09:59:40.0656 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/06 09:59:40.0921 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/06 09:59:41.0140 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/06 09:59:41.0421 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/11/06 09:59:41.0953 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2010/11/06 09:59:42.0218 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/11/06 09:59:42.0468 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2010/11/06 09:59:42.0718 SISNIC (5529b51aacff16fbdde4b34ff0af2b76) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2010/11/06 09:59:43.0125 smserial (bc871f7565c714252e836234043f77a5) C:\WINDOWS\system32\DRIVERS\smserial.sys

2010/11/06 09:59:43.0765 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/06 09:59:44.0093 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/06 09:59:44.0375 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/06 09:59:44.0656 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/11/06 09:59:44.0875 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/06 09:59:45.0156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/06 09:59:46.0062 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/06 09:59:46.0359 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/06 09:59:46.0640 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/06 09:59:46.0921 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/06 09:59:47.0343 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/06 09:59:47.0843 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/06 09:59:48.0125 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/06 09:59:48.0343 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/06 09:59:48.0484 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/06 09:59:48.0656 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/06 09:59:48.0796 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/06 09:59:48.0984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/06 09:59:49.0000 Suspicious service (NoAccess): vbma297a

2010/11/06 09:59:49.0171 vbma297a (a2e13ce027a5bd8c798039ae4559eec1) C:\WINDOWS\system32\drivers\vbma297a.sys

2010/11/06 09:59:49.0171 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma297a.sys. md5: a2e13ce027a5bd8c798039ae4559eec1

2010/11/06 09:59:49.0187 vbma297a - detected Locked service (1)

2010/11/06 09:59:49.0328 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/06 09:59:49.0500 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/06 09:59:49.0656 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/06 09:59:49.0843 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/06 09:59:50.0078 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/06 09:59:50.0390 ================================================================================

2010/11/06 09:59:50.0390 Scan finished

2010/11/06 09:59:50.0390 ================================================================================

2010/11/06 09:59:50.0406 Detected object count: 2

2010/11/06 10:00:06.0921 Forged file(AFD) - User select action: Skip

2010/11/06 10:00:06.0921 Locked service(vbma297a) - User select action: Skip

2010/11/06 10:00:13.0281 Deinitialize success

Link to post
Share on other sites

LD, it doesn't appear that "delete" deletes the files. I've run TDDSkiller scans four times and every time it finds the same files (AFD & vbma297a), so I select "delete" and reboot but no change. Below is the last log file:

2010/11/06 12:03:15.0843 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/06 12:03:15.0843 ================================================================================

2010/11/06 12:03:15.0843 SystemInfo:

2010/11/06 12:03:15.0843

2010/11/06 12:03:15.0843 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/06 12:03:15.0843 Product type: Workstation

2010/11/06 12:03:15.0843 ComputerName: COMPAQ

2010/11/06 12:03:15.0843 UserName: Compaq_Owner

2010/11/06 12:03:15.0843 Windows directory: C:\WINDOWS

2010/11/06 12:03:15.0843 System windows directory: C:\WINDOWS

2010/11/06 12:03:15.0843 Processor architecture: Intel x86

2010/11/06 12:03:15.0843 Number of processors: 1

2010/11/06 12:03:15.0843 Page size: 0x1000

2010/11/06 12:03:15.0843 Boot type: Normal boot

2010/11/06 12:03:15.0843 ================================================================================

2010/11/06 12:03:16.0593 Initialize success

2010/11/06 12:03:17.0984 ================================================================================

2010/11/06 12:03:17.0984 Scan started

2010/11/06 12:03:17.0984 Mode: Manual;

2010/11/06 12:03:17.0984 ================================================================================

2010/11/06 12:03:23.0984 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/06 12:03:24.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/06 12:03:25.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/06 12:03:26.0031 AFD (3d57e667e01b695a298dc553761742a3) C:\WINDOWS\System32\drivers\afd.sys

2010/11/06 12:03:26.0046 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3d57e667e01b695a298dc553761742a3, Fake md5: 7e775010ef291da96ad17ca4b17137d7

2010/11/06 12:03:26.0062 AFD - detected Forged file (1)

2010/11/06 12:03:26.0734 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/11/06 12:03:30.0015 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/06 12:03:32.0000 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/06 12:03:33.0000 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/06 12:03:33.0390 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/06 12:03:33.0765 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/06 12:03:34.0125 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/06 12:03:34.0578 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/11/06 12:03:34.0984 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/11/06 12:03:35.0375 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/11/06 12:03:35.0734 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/06 12:03:36.0062 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/06 12:03:36.0515 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/06 12:03:36.0750 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/06 12:03:36.0921 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/06 12:03:37.0937 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/06 12:03:38.0921 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/06 12:03:40.0265 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/06 12:03:41.0812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/06 12:03:43.0296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/06 12:03:44.0109 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/06 12:03:45.0046 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/06 12:03:46.0046 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/06 12:03:47.0140 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/06 12:03:47.0687 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/06 12:03:48.0718 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/06 12:03:49.0390 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/06 12:03:50.0093 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/06 12:03:51.0000 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

2010/11/06 12:03:51.0718 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/06 12:03:52.0203 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/06 12:03:52.0390 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/06 12:03:54.0671 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/06 12:03:56.0296 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/06 12:03:56.0859 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/06 12:03:57.0984 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/06 12:03:58.0546 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/06 12:03:59.0265 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/06 12:03:59.0687 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/06 12:03:59.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/06 12:04:00.0421 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/06 12:04:01.0031 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/06 12:04:01.0640 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/06 12:04:02.0187 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/06 12:04:02.0437 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/06 12:04:02.0859 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/06 12:04:03.0156 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/06 12:04:03.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/06 12:04:03.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/06 12:04:04.0093 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/11/06 12:04:04.0421 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/06 12:04:04.0609 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/06 12:04:04.0828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/06 12:04:05.0078 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/06 12:04:05.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/06 12:04:05.0890 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/06 12:04:06.0109 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/06 12:04:06.0328 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/06 12:04:06.0562 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/06 12:04:06.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/06 12:04:07.0000 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/06 12:04:07.0296 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/06 12:04:07.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/06 12:04:08.0062 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/06 12:04:08.0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/06 12:04:08.0593 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/06 12:04:08.0875 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/06 12:04:09.0015 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/06 12:04:09.0812 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/06 12:04:10.0265 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/06 12:04:10.0750 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/06 12:04:11.0703 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/06 12:04:12.0140 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/06 12:04:12.0515 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/06 12:04:12.0765 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/06 12:04:13.0109 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/06 12:04:13.0421 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/06 12:04:13.0703 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/06 12:04:13.0906 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/06 12:04:14.0171 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/06 12:04:14.0734 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/06 12:04:14.0984 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/06 12:04:16.0296 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/06 12:04:16.0796 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/06 12:04:17.0109 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/11/06 12:04:17.0390 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/06 12:04:17.0765 PSINAflt (469943fb4398df5662dd5d06193c0bb0) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys

2010/11/06 12:04:18.0062 PSINFile (d5c75c5238c52f0c664d23a7ffe38a5c) C:\WINDOWS\system32\DRIVERS\PSINFile.sys

2010/11/06 12:04:18.0406 PSINKNC (3942d3cfab0545f599e6eff2b8a1aad2) C:\WINDOWS\system32\DRIVERS\psinknc.sys

2010/11/06 12:04:18.0671 PSINProc (d3730032f61fca2d2ae6a2daf90347b1) C:\WINDOWS\system32\DRIVERS\PSINProc.sys

2010/11/06 12:04:18.0906 PSINProt (7803cb196f872c7e359c5c71e0a9ac69) C:\WINDOWS\system32\DRIVERS\PSINProt.sys

2010/11/06 12:04:19.0281 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/06 12:04:19.0546 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/06 12:04:20.0046 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/06 12:04:20.0218 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/06 12:04:20.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/06 12:04:20.0546 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/06 12:04:20.0703 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/06 12:04:20.0859 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/06 12:04:21.0031 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/06 12:04:21.0203 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/06 12:04:21.0453 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/06 12:04:21.0609 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/06 12:04:21.0781 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/06 12:04:21.0921 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/06 12:04:22.0093 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/11/06 12:04:22.0328 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2010/11/06 12:04:22.0515 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/11/06 12:04:22.0656 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2010/11/06 12:04:22.0812 SISNIC (5529b51aacff16fbdde4b34ff0af2b76) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2010/11/06 12:04:22.0984 smserial (bc871f7565c714252e836234043f77a5) C:\WINDOWS\system32\DRIVERS\smserial.sys

2010/11/06 12:04:23.0265 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/06 12:04:23.0437 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/06 12:04:23.0593 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/06 12:04:23.0781 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/11/06 12:04:23.0937 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/06 12:04:24.0109 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/06 12:04:24.0625 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/06 12:04:24.0796 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/06 12:04:24.0984 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/06 12:04:25.0140 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/06 12:04:25.0312 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/06 12:04:25.0562 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/06 12:04:25.0828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/06 12:04:26.0046 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/06 12:04:26.0187 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/06 12:04:26.0359 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/06 12:04:26.0484 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/06 12:04:26.0640 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/06 12:04:26.0656 Suspicious service (NoAccess): vbma297a

2010/11/06 12:04:26.0828 vbma297a (a2e13ce027a5bd8c798039ae4559eec1) C:\WINDOWS\system32\drivers\vbma297a.sys

2010/11/06 12:04:26.0828 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma297a.sys. md5: a2e13ce027a5bd8c798039ae4559eec1

2010/11/06 12:04:26.0843 vbma297a - detected Locked service (1)

2010/11/06 12:04:26.0984 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/06 12:04:27.0125 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/06 12:04:27.0281 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/06 12:04:27.0562 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/06 12:04:27.0796 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/06 12:04:28.0109 ================================================================================

2010/11/06 12:04:28.0109 Scan finished

2010/11/06 12:04:28.0109 ================================================================================

2010/11/06 12:04:28.0140 Detected object count: 2

2010/11/06 12:04:36.0140 HKLM\SYSTEM\ControlSet001\services\AFD - will be deleted after reboot

2010/11/06 12:04:36.0156 HKLM\SYSTEM\ControlSet001\control\safeboot\Network\AFD - will be deleted after reboot

2010/11/06 12:04:36.0156 HKLM\SYSTEM\ControlSet002\services\AFD - will be deleted after reboot

2010/11/06 12:04:36.0156 HKLM\SYSTEM\ControlSet002\control\safeboot\Network\AFD - will be deleted after reboot

2010/11/06 12:04:36.0156 HKLM\SYSTEM\ControlSet003\services\AFD - will be deleted after reboot

2010/11/06 12:04:36.0156 HKLM\SYSTEM\ControlSet003\control\safeboot\Network\AFD - will be deleted after reboot

2010/11/06 12:04:36.0171 C:\WINDOWS\System32\drivers\afd.sys - will be deleted after reboot

2010/11/06 12:04:36.0171 Forged file(AFD) - User select action: Delete

2010/11/06 12:04:36.0171 HKLM\SYSTEM\ControlSet002\services\vbma297a - will be deleted after reboot

2010/11/06 12:04:36.0171 HKLM\SYSTEM\ControlSet003\services\vbma297a - will be deleted after reboot

2010/11/06 12:04:36.0171 C:\WINDOWS\system32\drivers\vbma297a.sys - will be deleted after reboot

2010/11/06 12:04:36.0171 Locked service(vbma297a) - User select action: Delete

2010/11/06 12:04:38.0265 Deinitialize success

Link to post
Share on other sites

We need to see if we can remove the MBR infections before doing anything else.

Try it from Safe Mode

Restart your computer in Safe Mode.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

This can take several miniutes to load.

Link to post
Share on other sites

LD, did reboot into safe mode and ran TDSSKiller again, it found only one file (vbma297a) and I deleted. I rebooted a second time into safe mode, repeat run of TDSSKiller and below is the log file.

2010/11/06 12:25:45.0015 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/06 12:25:45.0015 ================================================================================

2010/11/06 12:25:45.0015 SystemInfo:

2010/11/06 12:25:45.0015

2010/11/06 12:25:45.0015 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/06 12:25:45.0015 Product type: Workstation

2010/11/06 12:25:45.0015 ComputerName: COMPAQ

2010/11/06 12:25:45.0015 UserName: Compaq_Owner

2010/11/06 12:25:45.0015 Windows directory: C:\WINDOWS

2010/11/06 12:25:45.0015 System windows directory: C:\WINDOWS

2010/11/06 12:25:45.0015 Processor architecture: Intel x86

2010/11/06 12:25:45.0015 Number of processors: 1

2010/11/06 12:25:45.0015 Page size: 0x1000

2010/11/06 12:25:45.0015 Boot type: Safe boot

2010/11/06 12:25:45.0015 ================================================================================

2010/11/06 12:25:45.0765 Initialize success

2010/11/06 12:25:49.0000 ================================================================================

2010/11/06 12:25:49.0000 Scan started

2010/11/06 12:25:49.0000 Mode: Manual;

2010/11/06 12:25:49.0000 ================================================================================

2010/11/06 12:25:54.0109 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/06 12:25:54.0765 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/06 12:25:55.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/06 12:25:56.0593 AFD (3d57e667e01b695a298dc553761742a3) C:\WINDOWS\System32\drivers\afd.sys

2010/11/06 12:25:57.0718 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/11/06 12:26:00.0859 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/06 12:26:03.0218 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/06 12:26:05.0125 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/06 12:26:05.0640 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/06 12:26:06.0578 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/06 12:26:07.0062 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/06 12:26:07.0593 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/11/06 12:26:08.0218 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/11/06 12:26:08.0828 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/11/06 12:26:09.0500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/06 12:26:10.0093 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/06 12:26:11.0156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/06 12:26:11.0687 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/06 12:26:12.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/06 12:26:15.0171 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/06 12:26:15.0984 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/06 12:26:16.0875 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/06 12:26:17.0406 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/06 12:26:17.0843 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/06 12:26:18.0687 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/06 12:26:19.0203 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/06 12:26:19.0703 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/06 12:26:20.0140 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/06 12:26:20.0578 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/06 12:26:21.0046 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/06 12:26:21.0484 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/06 12:26:21.0921 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/06 12:26:22.0375 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

2010/11/06 12:26:22.0796 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/06 12:26:23.0203 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/06 12:26:23.0640 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/06 12:26:25.0125 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/06 12:26:26.0515 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/06 12:26:27.0078 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/06 12:26:28.0250 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/06 12:26:28.0843 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/06 12:26:29.0437 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/06 12:26:30.0000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/06 12:26:30.0562 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/06 12:26:31.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/06 12:26:31.0875 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/06 12:26:32.0375 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/06 12:26:32.0875 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/06 12:26:33.0437 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/06 12:26:33.0984 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/06 12:26:34.0687 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/06 12:26:35.0609 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/06 12:26:36.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/06 12:26:36.0453 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/11/06 12:26:36.0968 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/06 12:26:37.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/06 12:26:38.0046 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/06 12:26:39.0078 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/06 12:26:39.0765 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/06 12:26:40.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/06 12:26:41.0062 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/06 12:26:41.0578 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/06 12:26:42.0046 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/06 12:26:42.0484 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/06 12:26:42.0937 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/06 12:26:43.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/06 12:26:43.0906 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/06 12:26:44.0328 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/06 12:26:44.0781 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/06 12:26:45.0218 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/06 12:26:45.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/06 12:26:46.0109 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/06 12:26:46.0640 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/06 12:26:47.0093 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/06 12:26:47.0703 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/06 12:26:48.0328 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/06 12:26:48.0734 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/06 12:26:49.0156 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/06 12:26:49.0578 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/06 12:26:50.0046 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/06 12:26:50.0468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/06 12:26:50.0906 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/06 12:26:51.0343 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/06 12:26:51.0765 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/06 12:26:52.0484 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/06 12:26:52.0937 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/06 12:26:55.0312 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/06 12:26:55.0750 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/06 12:26:56.0187 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/11/06 12:26:56.0609 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/06 12:26:57.0109 PSINAflt (469943fb4398df5662dd5d06193c0bb0) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys

2010/11/06 12:26:57.0593 PSINFile (d5c75c5238c52f0c664d23a7ffe38a5c) C:\WINDOWS\system32\DRIVERS\PSINFile.sys

2010/11/06 12:26:58.0109 PSINKNC (3942d3cfab0545f599e6eff2b8a1aad2) C:\WINDOWS\system32\DRIVERS\psinknc.sys

2010/11/06 12:26:58.0609 PSINProc (d3730032f61fca2d2ae6a2daf90347b1) C:\WINDOWS\system32\DRIVERS\PSINProc.sys

2010/11/06 12:26:59.0140 PSINProt (7803cb196f872c7e359c5c71e0a9ac69) C:\WINDOWS\system32\DRIVERS\PSINProt.sys

2010/11/06 12:26:59.0578 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/06 12:26:59.0984 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/06 12:27:01.0890 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/06 12:27:02.0421 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/06 12:27:02.0859 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/06 12:27:03.0296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/06 12:27:03.0750 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/06 12:27:04.0218 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/06 12:27:04.0687 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/06 12:27:05.0156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/06 12:27:05.0937 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/06 12:27:06.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/06 12:27:06.0781 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/06 12:27:07.0218 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/06 12:27:07.0656 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/11/06 12:27:08.0437 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2010/11/06 12:27:08.0921 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/11/06 12:27:09.0328 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2010/11/06 12:27:09.0750 SISNIC (5529b51aacff16fbdde4b34ff0af2b76) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2010/11/06 12:27:10.0453 smserial (bc871f7565c714252e836234043f77a5) C:\WINDOWS\system32\DRIVERS\smserial.sys

2010/11/06 12:27:11.0453 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/06 12:27:11.0890 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/06 12:27:12.0453 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/06 12:27:12.0968 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/11/06 12:27:13.0390 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/06 12:27:13.0812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/06 12:27:15.0546 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/06 12:27:16.0125 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/06 12:27:16.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/06 12:27:17.0093 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/06 12:27:17.0515 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/06 12:27:18.0265 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/06 12:27:19.0109 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/06 12:27:19.0687 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/06 12:27:20.0109 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/06 12:27:20.0531 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/06 12:27:20.0953 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/06 12:27:21.0375 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/06 12:27:21.0796 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/06 12:27:22.0218 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/06 12:27:22.0625 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/06 12:27:23.0093 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/06 12:27:23.0828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/06 12:27:24.0421 ================================================================================

2010/11/06 12:27:24.0421 Scan finished

2010/11/06 12:27:24.0421 ================================================================================

Link to post
Share on other sites

LD, in normal mode AFD shows up again and two runs of TDSSKiller found both times (delete doesn't delete apparently). Here's the log from the second run in normal mode:

2010/11/06 12:46:07.0890 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/06 12:46:07.0890 ================================================================================

2010/11/06 12:46:07.0890 SystemInfo:

2010/11/06 12:46:07.0890

2010/11/06 12:46:07.0890 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/06 12:46:07.0890 Product type: Workstation

2010/11/06 12:46:07.0890 ComputerName: COMPAQ

2010/11/06 12:46:07.0890 UserName: Compaq_Owner

2010/11/06 12:46:07.0890 Windows directory: C:\WINDOWS

2010/11/06 12:46:07.0890 System windows directory: C:\WINDOWS

2010/11/06 12:46:07.0890 Processor architecture: Intel x86

2010/11/06 12:46:07.0890 Number of processors: 1

2010/11/06 12:46:07.0890 Page size: 0x1000

2010/11/06 12:46:07.0890 Boot type: Normal boot

2010/11/06 12:46:07.0890 ================================================================================

2010/11/06 12:46:10.0296 Initialize success

2010/11/06 12:46:12.0250 ================================================================================

2010/11/06 12:46:12.0250 Scan started

2010/11/06 12:46:12.0250 Mode: Manual;

2010/11/06 12:46:12.0250 ================================================================================

2010/11/06 12:46:21.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/06 12:46:22.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/06 12:46:24.0375 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/06 12:46:24.0984 AFD (3d57e667e01b695a298dc553761742a3) C:\WINDOWS\System32\drivers\afd.sys

2010/11/06 12:46:24.0984 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3d57e667e01b695a298dc553761742a3, Fake md5: 7e775010ef291da96ad17ca4b17137d7

2010/11/06 12:46:25.0000 AFD - detected Forged file (1)

2010/11/06 12:46:25.0375 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/11/06 12:46:29.0453 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/06 12:46:32.0046 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/06 12:46:33.0953 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/06 12:46:34.0406 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/06 12:46:35.0328 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/06 12:46:35.0718 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/06 12:46:36.0250 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/11/06 12:46:36.0484 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/11/06 12:46:36.0750 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/11/06 12:46:37.0203 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/06 12:46:37.0453 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/06 12:46:38.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/06 12:46:38.0390 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/06 12:46:38.0578 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/06 12:46:40.0109 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/06 12:46:40.0375 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/06 12:46:40.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/06 12:46:41.0250 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/06 12:46:41.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/06 12:46:41.0968 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/06 12:46:42.0328 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/06 12:46:42.0562 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/06 12:46:42.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/06 12:46:42.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/06 12:46:43.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/06 12:46:43.0296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/06 12:46:43.0484 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/06 12:46:43.0640 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

2010/11/06 12:46:43.0781 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/06 12:46:43.0937 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/06 12:46:44.0125 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/06 12:46:44.0593 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/06 12:46:45.0109 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/06 12:46:45.0281 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/06 12:46:45.0609 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/06 12:46:45.0765 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/06 12:46:45.0921 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/06 12:46:46.0109 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/06 12:46:46.0296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/06 12:46:46.0500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/06 12:46:46.0703 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/06 12:46:46.0890 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/06 12:46:47.0187 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/06 12:46:47.0359 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/06 12:46:47.0531 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/06 12:46:47.0796 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/06 12:46:48.0406 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/06 12:46:48.0812 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/06 12:46:49.0171 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/11/06 12:46:49.0406 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/06 12:46:49.0656 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/06 12:46:49.0875 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/06 12:46:50.0281 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/06 12:46:50.0531 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/06 12:46:50.0843 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/06 12:46:51.0125 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/06 12:46:51.0359 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/06 12:46:51.0593 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/06 12:46:51.0859 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/06 12:46:52.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/06 12:46:52.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/06 12:46:52.0656 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/06 12:46:52.0890 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/06 12:46:53.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/06 12:46:53.0343 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/06 12:46:53.0562 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/06 12:46:53.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/06 12:46:54.0062 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/06 12:46:54.0281 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/06 12:46:54.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/06 12:46:54.0984 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/06 12:46:55.0187 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/06 12:46:55.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/06 12:46:55.0562 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/06 12:46:55.0906 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/06 12:46:56.0156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/06 12:46:56.0343 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/06 12:46:56.0671 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/06 12:46:56.0843 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/06 12:46:57.0250 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/06 12:46:57.0390 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/06 12:47:01.0265 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/06 12:47:01.0562 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/06 12:47:01.0984 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/11/06 12:47:02.0281 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/06 12:47:02.0625 PSINAflt (469943fb4398df5662dd5d06193c0bb0) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys

2010/11/06 12:47:03.0156 PSINFile (d5c75c5238c52f0c664d23a7ffe38a5c) C:\WINDOWS\system32\DRIVERS\PSINFile.sys

2010/11/06 12:47:03.0500 PSINKNC (3942d3cfab0545f599e6eff2b8a1aad2) C:\WINDOWS\system32\DRIVERS\psinknc.sys

2010/11/06 12:47:04.0000 PSINProc (d3730032f61fca2d2ae6a2daf90347b1) C:\WINDOWS\system32\DRIVERS\PSINProc.sys

2010/11/06 12:47:04.0328 PSINProt (7803cb196f872c7e359c5c71e0a9ac69) C:\WINDOWS\system32\DRIVERS\PSINProt.sys

2010/11/06 12:47:04.0656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/06 12:47:05.0156 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/06 12:47:06.0468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/06 12:47:06.0734 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/06 12:47:07.0046 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/06 12:47:07.0390 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/06 12:47:07.0625 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/06 12:47:07.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/06 12:47:08.0171 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/06 12:47:08.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/06 12:47:09.0312 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/06 12:47:09.0687 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/06 12:47:09.0921 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/06 12:47:10.0078 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/06 12:47:10.0296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/11/06 12:47:10.0843 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2010/11/06 12:47:11.0109 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/11/06 12:47:11.0468 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2010/11/06 12:47:11.0765 SISNIC (5529b51aacff16fbdde4b34ff0af2b76) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2010/11/06 12:47:12.0218 smserial (bc871f7565c714252e836234043f77a5) C:\WINDOWS\system32\DRIVERS\smserial.sys

2010/11/06 12:47:13.0250 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/06 12:47:13.0593 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/06 12:47:13.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/06 12:47:14.0265 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/11/06 12:47:14.0625 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/06 12:47:14.0937 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/06 12:47:16.0906 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/06 12:47:17.0671 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/06 12:47:18.0875 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/06 12:47:19.0593 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/06 12:47:20.0234 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/06 12:47:21.0781 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/06 12:47:24.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/06 12:47:26.0375 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/06 12:47:27.0062 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/06 12:47:27.0421 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/06 12:47:28.0171 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/06 12:47:28.0765 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/06 12:47:29.0437 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/06 12:47:30.0140 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/06 12:47:30.0671 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/06 12:47:31.0265 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/06 12:47:32.0281 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/06 12:47:32.0953 ================================================================================

2010/11/06 12:47:32.0953 Scan finished

2010/11/06 12:47:32.0953 ================================================================================

2010/11/06 12:47:32.0968 Detected object count: 1

2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet001\services\AFD - will be deleted after reboot

2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet001\control\safeboot\Network\AFD - will be deleted after reboot

2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet002\services\AFD - will be deleted after reboot

2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet002\control\safeboot\Network\AFD - will be deleted after reboot

2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet003\services\AFD - will be deleted after reboot

2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet003\control\safeboot\Network\AFD - will be deleted after reboot

2010/11/06 12:47:40.0890 C:\WINDOWS\System32\drivers\afd.sys - will be deleted after reboot

2010/11/06 12:47:40.0890 Forged file(AFD) - User select action: Delete

2010/11/06 12:47:44.0265 Deinitialize success

Link to post
Share on other sites

In case you can not boot after what we do, you'll need to boot from your Windows CD and run Fixmbr

Print this out so you have it

To run the Recovery Console from the Windows XP startup disks or the Windows XP CD-ROM, follow these steps:

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD drive, and then restart the computer.

You'll need to see what key you need to use in order to boot from the CD. Usually it's F10

2. Click to select any options that are required to start the computer from the CD drive if you are prompted.

3. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

4. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.

5. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

6. At the command prompt, type the appropriate commands to diagnose and repair your Windows XP installation.

Type Fixmbr (tap enter)

Type Exit

Restart the computer

Now lets try this:

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

LD, the first run of ComboFix found a root kit infection and asked me to reboot the computer. I did reboot and ComboFix automatically restarted a scan and ran to completion and finished a log file:

ComboFix 10-11-07.01 - Compaq_Owner 11/06/2010 13:49:01.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.440 [GMT -5:00]

Running from: J:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\.wtav

c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\facemoods.com

c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\facemoods.com\facemoods\Online Games.ico

C:\feed.txt

c:\program files\skynet.dat

c:\windows\assembly\GAC\__AssemblyInfo__.ini

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf

c:\windows\explorer(2).exe

c:\windows\herjek.config

c:\windows\system32\fsc.txt

c:\windows\system32\ide.txt

c:\windows\system32\klgd.bmp

c:\windows\system32\lpd.txt

c:\windows\system32\lpe.txt

c:\windows\system32\lrg.txt

c:\windows\system32\qks.txt

c:\windows\system32\xef.txt

c:\windows\Tasks\bxqogdrq.job

c:\windows\Tasks\dpgetlyt.job

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - The cat found it :D

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_ADBUPD

-------\Legacy_USERINIT

-------\Service_6to4

-------\Service_AdbUpd

-------\Service_userinit

((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))

.

2010-11-06 17:44 . 2010-11-06 17:47 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys

2010-11-06 16:50 . 2010-11-06 16:50 -------- d-----w- C:\TDSSKiller_Quarantine

2010-11-02 20:59 . 2010-11-02 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Avira

2010-11-02 20:55 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-02 20:55 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-11-02 20:55 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-11-02 20:55 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\program files\Avira

2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-11-02 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-02 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-02 02:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Malwarebytes

2010-11-01 23:41 . 2010-11-02 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-01 23:26 . 2010-11-01 23:26 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\SurfSecret Privacy Suite

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Panda Security

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\panda2_0dn

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing

2010-11-01 23:21 . 2010-11-01 23:31 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\pandasecuritytb

2010-11-01 23:20 . 2010-11-02 02:40 -------- d-----w- c:\program files\Panda Security

2010-11-01 23:20 . 2010-11-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2010-10-31 02:35 . 2010-10-31 02:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2010-10-26 06:48 . 2010-10-26 06:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities

2010-10-25 16:58 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\AskToolbar

2010-10-25 04:52 . 2010-11-02 02:42 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\AskToolbar

2010-10-25 04:21 . 2010-10-25 04:21 -------- d-----w- c:\program files\Ask.com

2010-10-13 01:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-13 01:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-10-13 01:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-06 18:43 . 2005-01-28 08:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2010-09-18 17:23 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-04 18:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-04 18:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 18:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-04 18:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-08-04 18:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-04 18:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-04 18:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-04 18:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2005-01-28 08:56 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-12-12 04:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-04 18:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2005-06-22 00:40 . 2005-06-22 00:41 774144 ----a-w- c:\program files\RngInterstitial.dll

.

------- Sigcheck -------

[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe

[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe

[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe

[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe

[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe

[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe

[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe

[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe

[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe

[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe

[-] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe

[-] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe

[-] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe

[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe

[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\iexplore.exe

[-] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe

[-] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2GDR\iexplore.exe

[-] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe

[-] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2QFE\iexplore.exe

[-] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe

[-] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\iexplore.exe

[-] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe

[-] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\iexplore.exe

[-] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe

[-] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe

[-] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe

[-] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe

[-] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe

[-] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe

[-] 2007-06-27 . 275CEE268B9E5D82474C43D5D249D111 . 625152 . . [7.00.6000.16512] . . c:\windows\ie7updates\KB939653-IE7\iexplore.exe

[-] 2007-04-24 . 10BDB55982586A432A3951EB19A26009 . 625152 . . [7.00.6000.16473] . . c:\windows\ie7updates\KB937143-IE7\iexplore.exe

[-] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe

[-] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe

[-] 2007-02-21 . 683DDE71BCF03B501B912D20CB93B549 . 623616 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\iexplore.exe

[-] 2007-01-09 . 93A6A4F5293AE19E3B37021AABCF0902 . 623616 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\iexplore.exe

[-] 2006-10-17 . 5334D4461AA92A7B008755FE6D13C5F2 . 622080 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\iexplore.exe

[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe

[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie8\iexplore.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

2010-10-25 13:34 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-09-28 04:40 1244040 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1244040]

"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-10-25 86696]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1244040]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]

@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"

[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]

2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]

@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"

[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]

2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="files\common files\real\update_ob\realsched.exe -osboot" [X]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]

"SiSPower"="SiSPower.dll" [2005-04-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-28 98304]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

"Panda Security Toolbar Antiphishing"="c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.exe" [2010-10-24 449192]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/1/2010 9:41 PM 28552]

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [6/17/2010 1:41 PM 129992]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2010 3:55 PM 135336]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [7/21/2010 10:02 PM 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [7/21/2010 10:02 PM 112456]

S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [8/9/2010 2:53 PM 140608]

.

Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 04:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://start.facemoods.com/?a=antn

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-Locked - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-iTunesHelper - files\itunes\ituneshelper.exe

HKLM-Run-SMSERIAL - (no file)

SharedTaskScheduler-{23890fbe-a206-400f-8a89-f094b6efd9d9} - (no file)

SharedTaskScheduler-{b43f8a73-c416-4add-91f9-33f0e5a270ca} - (no file)

SharedTaskScheduler-{8b87616f-ccd9-4076-9873-1b724da2f16e} - (no file)

SharedTaskScheduler-{c4172249-1f32-4832-8982-80b4f33ff7f0} - (no file)

SharedTaskScheduler-{f1f47ee6-2383-4e1a-84b3-d4455fd87bdd} - (no file)

SharedTaskScheduler-{f012e104-dfa5-4939-8c39-b827ce01ae78} - (no file)

SSODL-bibiwaluk-{23890fbe-a206-400f-8a89-f094b6efd9d9} - (no file)

SSODL-vimazodag-{b43f8a73-c416-4add-91f9-33f0e5a270ca} - (no file)

SSODL-yeruzijep-{8b87616f-ccd9-4076-9873-1b724da2f16e} - (no file)

SSODL-fagoziruy-{c4172249-1f32-4832-8982-80b4f33ff7f0} - (no file)

SSODL-layezewan-{f1f47ee6-2383-4e1a-84b3-d4455fd87bdd} - (no file)

SSODL-wuyagihes-{f012e104-dfa5-4939-8c39-b827ce01ae78} - (no file)

Notify-setcell - setcell.dll

SafeBoot-klmdb.sys

ActiveSetup-{11522865-037B-4E24-99D6-B43A3782302F} - uaihv27.dll

ActiveSetup-{1DFC0CB0-CE09-4E94-BD01-91C2E9D2A7CA} - oxia7.dll

ActiveSetup-{3513A6A1-9E64-411E-A763-BE8CF8F8F1BC} - iwauqng5.dll

ActiveSetup-{7D94FE9D-0031-4911-9D51-2A24CB88120C} - pbutk.dll

ActiveSetup-{C1DDC416-23B2-4876-A75C-2D1902CCD0C3} - usmkppl.dll

ActiveSetup-{D44AAFDA-1AF4-45AA-9813-6337EDFA496C} - jnjvcpxk1.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-06 14:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3976)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.dll

c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL

c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\AGRSMMSG.exe

c:\windows\ALCXMNTR.EXE

.

**************************************************************************

.

Completion time: 2010-11-06 14:09:58 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-06 19:09

ComboFix2.txt 2009-12-12 02:24

Pre-Run: 32,529,850,368 bytes free

Post-Run: 36,105,555,968 bytes free

- - End Of File - - 88632619534D233B6F2624D544DBFE1A

Link to post
Share on other sites

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

Next:

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Folder::
c:\program files\Ask.com

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

LD, upon restart ComboFix restarted its scan and the following log:

ComboFix 10-11-07.01 - Compaq_Owner 11/06/2010 15:00:36.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.458 [GMT -5:00]

Running from: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Ask.com

c:\program files\Ask.com\btn_search.png

c:\program files\Ask.com\cobrand.ico

c:\program files\Ask.com\config.xml

c:\program files\Ask.com\favicon.ico

c:\program files\Ask.com\GenericAskToolbar.dll

c:\program files\Ask.com\limewire_logo.png

c:\program files\Ask.com\mupcfg.xml

c:\program files\Ask.com\SaUpdate.exe

c:\program files\Ask.com\UpdateTask.exe

c:\windows\system32\config\bjyeyaiy

.

((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))

.

2010-11-06 17:44 . 2010-11-06 17:47 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys

2010-11-06 16:50 . 2010-11-06 16:50 -------- d-----w- C:\TDSSKiller_Quarantine

2010-11-02 20:59 . 2010-11-02 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Avira

2010-11-02 20:55 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-02 20:55 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-11-02 20:55 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-11-02 20:55 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\program files\Avira

2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-11-02 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-02 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-02 02:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Malwarebytes

2010-11-01 23:41 . 2010-11-02 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-01 23:26 . 2010-11-01 23:26 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\SurfSecret Privacy Suite

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Panda Security

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\panda2_0dn

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing

2010-11-01 23:21 . 2010-11-01 23:31 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\pandasecuritytb

2010-11-01 23:20 . 2010-11-02 02:40 -------- d-----w- c:\program files\Panda Security

2010-11-01 23:20 . 2010-11-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2010-10-31 02:35 . 2010-10-31 02:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2010-10-26 06:48 . 2010-10-26 06:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities

2010-10-25 16:58 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\AskToolbar

2010-10-25 04:52 . 2010-11-06 19:53 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\AskToolbar

2010-10-13 01:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-13 01:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-10-13 01:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-06 18:43 . 2005-01-28 08:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2010-09-18 17:23 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-04 18:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-04 18:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 18:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-04 18:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-08-04 18:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-04 18:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-04 18:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-04 18:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2005-01-28 08:56 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-12-12 04:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-04 18:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2005-06-22 00:40 . 2005-06-22 00:41 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

2010-10-25 13:34 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-10-25 86696]

[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]

@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"

[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]

2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]

@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"

[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]

2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="files\common files\real\update_ob\realsched.exe -osboot" [X]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]

"SiSPower"="SiSPower.dll" [2005-04-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-28 98304]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

"Panda Security Toolbar Antiphishing"="c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.exe" [2010-10-24 449192]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/1/2010 9:41 PM 28552]

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [6/17/2010 1:41 PM 129992]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2010 3:55 PM 135336]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [7/21/2010 10:02 PM 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [7/21/2010 10:02 PM 112456]

S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [8/9/2010 2:53 PM 140608]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://start.facemoods.com/?a=antn

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-06 15:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3604)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.dll

c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL

c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\AGRSMMSG.exe

c:\windows\ALCXMNTR.EXE

.

**************************************************************************

.

Completion time: 2010-11-06 15:17:20 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-06 20:17

ComboFix2.txt 2010-11-06 19:09

ComboFix3.txt 2009-12-12 02:24

Pre-Run: 36,098,134,016 bytes free

Post-Run: 36,099,694,592 bytes free

- - End Of File - - D2E5D3B5710AC03B623A339482B5609E

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

You are also running 2 anti-virus programs:

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

You need to uninstall one of them

Link to post
Share on other sites

LD, I uninstalled Panda Cloud AV and all its various components, then restarted and did the above script. Here's the log file:

ComboFix 10-11-07.01 - Compaq_Owner 11/06/2010 15:53:00.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.399 [GMT -5:00]

Running from: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))

.

2010-11-06 17:44 . 2010-11-06 17:47 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys

2010-11-06 16:50 . 2010-11-06 16:50 -------- d-----w- C:\TDSSKiller_Quarantine

2010-11-02 20:59 . 2010-11-02 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Avira

2010-11-02 20:55 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-02 20:55 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-11-02 20:55 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-11-02 20:55 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\program files\Avira

2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-11-02 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-02 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Malwarebytes

2010-11-01 23:41 . 2010-11-02 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-01 23:26 . 2010-11-01 23:26 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\SurfSecret Privacy Suite

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Panda Security

2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\panda2_0dn

2010-11-01 23:20 . 2010-11-06 20:40 -------- d-----w- c:\program files\Panda Security

2010-11-01 23:20 . 2010-11-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2010-10-31 02:35 . 2010-10-31 02:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2010-10-26 06:48 . 2010-10-26 06:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities

2010-10-25 16:58 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\AskToolbar

2010-10-25 04:52 . 2010-11-06 19:53 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\AskToolbar

2010-10-13 01:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-13 01:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-10-13 01:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-06 18:43 . 2005-01-28 08:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2010-09-18 17:23 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-04 18:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-04 18:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 18:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-04 18:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-08-04 18:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-04 18:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-04 18:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-04 18:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2005-01-28 08:56 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-12-12 04:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-04 18:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2005-06-22 00:40 . 2005-06-22 00:41 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="files\common files\real\update_ob\realsched.exe -osboot" [X]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]

"SiSPower"="SiSPower.dll" [2005-04-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-28 98304]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2010 3:55 PM 135336]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://start.facemoods.com/?a=antn

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-06 16:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3196)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\AGRSMMSG.exe

c:\windows\ALCXMNTR.EXE

.

**************************************************************************

.

Completion time: 2010-11-06 16:07:38 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-06 21:07

ComboFix2.txt 2010-11-06 20:17

ComboFix3.txt 2010-11-06 19:09

ComboFix4.txt 2009-12-12 02:24

Pre-Run: 36,284,334,080 bytes free

Post-Run: 36,275,482,624 bytes free

- - End Of File - - 8C8C6E696C7B51F4C821149D4FE28C57

Link to post
Share on other sites

Disable Internet Explorer Proxy Settings and Reset TCP/IP and Winsock

Disable Internet Explorer Proxy Settings and Reset TCP/IP

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.

If you have any questions please ask before moving on.

  • Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.
  • Then save the file as "fixme.bat" to your Desktop
  • In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.
    @ECHO OFF
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
    netsh int ip reset resetlog.txt
    netsh winsock reset catalog


  • On Windows XP you can double-click the file to run it.
  • On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes
  • This will flash a black DOS box very quickly and go away, this is normal.
  • Restart your computer now.
  • Launch Internet Explorer and see if you can connect to the Internet.
  • Launch Combofix and post the scan results

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.