PDA

View Full Version : Redirect Virus/VERY slow internet/internet disconnects



dnbsoulr
2010-07-24, 18:54
hi,

I have a redirect virus, it isnt confined to just google, its a random redirect no matter where i am online clicking links can randomly send me to spam sites.

I think this problem is also linked to internet issues i have been having... my computers internet has been running VERY slow, and randomly resets the connection to the internet.

its very frustrating.... This problem is only about a week old, 1 week ago EVERYTHING was running smoothly.

Please Help!

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Oni Laptop at 11:46:57.02 on Sat 07/24/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2094 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Oni Laptop\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
dRun: [mcexecwin] rundll32.exe c:\windows\temp\obxv40.dll, RestoreWindows
dRun: [uiha98uiohf873yuiadnhgjesgregas] c:\windows\temp\vybwj23.exe
dRun: [hsehf98u34i9tjioaugy987iuegdsg] c:\windows\temp\win.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

================= FIREFOX ===================

FF - ProfilePath - c:\users\onilap~1\appdata\roaming\mozilla\firefox\profiles\3v64owpj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\users\oni laptop\appdata\roaming\mozilla\firefox\profiles\3v64owpj.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: XULRunner: {C7D61D9E-DEEA-4A4F-BB93-151892FF691B} - c:\windows\system32\config\systemprofile\appdata\local\{c7d61d9e-deea-4a4f-bb93-151892ff691b}\
FF - HiddenExtension: XULRunner: {488126AF-526A-47F2-86E5-9245FF66FAFE} - c:\users\oni laptop\appdata\local\{488126AF-526A-47F2-86E5-9245FF66FAFE}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-24 165456]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-24 172032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-24 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-7-24 50256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-24 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-24 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-24 40384]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-19 249888]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-8-28 17408]

=============== Created Last 30 ================

2010-07-24 15:39:27 0 d-----w- c:\windows\system32\appmgmt
2010-07-24 04:50:03 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-07-24 04:49:45 38848 ----a-w- c:\windows\avastSS.scr
2010-07-24 04:49:42 0 d-----w- c:\programdata\Alwil Software
2010-07-15 17:22:05 768000 ----a-w- c:\windows\system32\drivers\gatvwoz.sys
2010-07-15 17:20:10 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-07-15 17:20:07 0 d-----w- c:\programdata\Update
2010-07-15 17:20:03 150 ----a-w- C:\zrpt.xml
2010-07-15 17:20:02 74752 ----a-w- c:\windows\system32\ddcc.sys
2010-07-15 05:33:41 5550145 ----a-w- c:\windows\system32\idtcpl.cpl
2010-07-15 05:33:41 512000 ----a-w- c:\windows\system32\idtmini1.exe
2010-07-15 05:33:41 442433 ----a-w- c:\windows\sttray.exe
2010-07-15 05:33:41 2469888 ----a-w- c:\windows\system32\stlang.dll
2010-07-15 05:33:41 221239 ----a-w- c:\windows\system32\stacsv.exe
2010-07-15 05:33:03 164352 ----a-w- c:\windows\system32\staco.dll
2010-07-15 05:32:25 580608 ----a-w- c:\windows\system32\stapo.dll
2010-07-15 05:32:25 404480 ----a-w- c:\windows\system32\stapi32.dll
2010-07-15 05:32:25 379904 ----a-w- c:\windows\system32\drivers\stwrt.sys
2010-07-15 05:32:25 344576 ----a-w- c:\windows\system32\stcplx.dll
2010-07-15 05:32:22 0 d-----w- c:\program files\IDT
2010-07-14 00:43:22 40581 ----a-w- c:\windows\system32\rwecp.exe
2010-07-08 18:47:19 0 d-----w- c:\program files\iPod
2010-07-08 18:47:18 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-08 18:47:18 0 d-----w- c:\program files\iTunes
2010-07-01 07:06:35 0 d-----w- c:\programdata\NOS

==================== Find3M ====================

2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 20:18:26 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:47:59.63 ===============

ATTACH:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 1/22/2010 3:10:56 PM
System Uptime: 7/24/2010 1:42:24 AM (10 hours ago)

Motherboard: Gateway | |
Processor: Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz | U2E1 | 1833/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 196.238 GiB free.
D: is CDROM ()
E: is Removable
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Multi-Card
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MULTI-CARD&REV_1.00#20060413092100000&0#
Manufacturer: Generic-
Name: E:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MULTI-CARD&REV_1.00#20060413092100000&0#
Service: WUDFRd

==== System Restore Points ===================

RP41: 7/14/2010 1:45:33 AM - Scheduled Checkpoint
RP43: 7/15/2010 1:33:52 AM - Installed IDT Audio
RP44: 7/23/2010 12:00:03 AM - Scheduled Checkpoint
RP45: 7/24/2010 12:49:31 AM - avast! Free Antivirus Setup
RP46: 7/24/2010 11:38:57 AM - Removed Skype Toolbars

==== Installed Programs ======================

7-Zip 9.10 beta
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.3
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AIM 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
ATI Catalyst Registration
avast! Free Antivirus
Bonjour
Camera Assistant Software for Gateway
CamStudio
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
Combined Community Codec Pack 2009-09-09
CoreAVC Professional Edition (remove only)
DH Mobility Modder.NET
Download Updater (AOL LLC)
Haali Media Splitter
HijackThis 2.0.2
IDT Audio
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.7)
MSVCRT
Multiple Image Resizer .NET
PDF Settings
QuickTime
Skype™ 4.2
Spybot - Search & Destroy
Synaptics Pointing Device Driver
VLC media player 1.0.5
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Yahoo! Messenger
Yahoo! Software Update

==== Event Viewer Messages From Past Week ========

7/24/2010 1:33:36 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2010 1:33:36 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/24/2010 1:33:36 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/24/2010 1:33:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/24/2010 1:33:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/24/2010 1:33:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/24/2010 1:33:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/24/2010 1:33:24 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2010 1:33:24 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2010 1:32:58 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .
7/23/2010 5:35:34 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
7/20/2010 4:36:40 PM, Error: atikmdag [43029] - Display is not active
7/17/2010 8:48:54 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
7/17/2010 8:48:53 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/17/2010 8:48:53 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/17/2010 6:31:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
7/17/2010 6:31:22 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
7/17/2010 6:31:22 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/17/2010 6:31:14 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr sptd Wanarpv6

==== End Of File ===========================

minor update...

I found a system restore point before the problem occurred, tried to restore to that point...

restore failed, it said it had trouble deleting the file gatvwoz.sys in my windows folder.

That is interesting because that same file pops up in Avast as a threat but Avast is unable to delete it because of a error in attached device or something?

would be happy to post a log from either the system restore or avast, but youll have to tell me how to do the log from system restore, i could figure out how to get a log in avast but the system restore i have no clue.

Avast just popped up again and said that that same file gatvwoz.sys in my windows drivers folder is a rootkit.

i clicked on deleted and didnt get and error message... could it finally have deleted it?

running avast scan now, will not post anymore until someone replies....
--------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (dirty or not) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count.

shelf life
2010-07-29, 01:22
hi dnbsoulr,

Your log is a few days old. If you still need help simply reply to my post.

dnbsoulr
2010-08-02, 18:34
yes.. i still need help.

I was out of town for a few days, i left my computer at home, so everything is exactly as it was.

I am almost certain this is a rootkit.

please help!

shelf life
2010-08-03, 00:34
ok we will get two downloads to use:

Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically selects an action (Cure or Delete) for known malacious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C:) as TDSSKiller.2.4.0.0_01.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

Next:

Please also download MBRCheck to your desktop

http://ad13.geekstogo.com/MBRCheck.exe

* Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
* It will show a Black screen with some information that will contain either the below line if no problem is found:
o Done! Press ENTER to exit...

* Or you will see more information like below if a problem is found:
o Found non-standard or infected MBR.
o Enter 'Y' and hit ENTER for more options, or 'N' to exit:

* Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
* MBRCheck will create a log on your desktop named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
* Attach this log to your next message.

dnbsoulr
2010-08-03, 03:51
oh my... that was painful.

Took me 3 tries to get tdsskiller to download properly, twice i got a blue screen crash during, had to resort to downloading it in safe mode.

whatever is going on with my computer is overheating i think, my laptop has always run a little hot but this is heating up FAST.

anyways here are the logs, looks like the kapersky picked up my infamous gatvwoz file as well, it chose to skip it though?

2010/08/02 20:35:17.0096 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/08/02 20:35:17.0096 ================================================================================
2010/08/02 20:35:17.0096 SystemInfo:
2010/08/02 20:35:17.0096
2010/08/02 20:35:17.0096 OS Version: 6.1.7600 ServicePack: 0.0
2010/08/02 20:35:17.0096 Product type: Workstation
2010/08/02 20:35:17.0096 ComputerName: ONILAPTOP-PC
2010/08/02 20:35:17.0096 UserName: Oni Laptop
2010/08/02 20:35:17.0096 Windows directory: C:\Windows
2010/08/02 20:35:17.0096 System windows directory: C:\Windows
2010/08/02 20:35:17.0096 Processor architecture: Intel x86
2010/08/02 20:35:17.0096 Number of processors: 2
2010/08/02 20:35:17.0096 Page size: 0x1000
2010/08/02 20:35:17.0096 Boot type: Normal boot
2010/08/02 20:35:17.0096 ================================================================================
2010/08/02 20:36:46.0840 Initialize success
2010/08/02 20:36:54.0742 ================================================================================
2010/08/02 20:36:54.0742 Scan started
2010/08/02 20:36:54.0742 Mode: Manual;
2010/08/02 20:36:54.0742 ================================================================================
2010/08/02 20:37:26.0080 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/08/02 20:37:26.0250 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2010/08/02 20:37:27.0190 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/08/02 20:37:29.0370 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/08/02 20:37:30.0132 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2010/08/02 20:37:30.0454 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2010/08/02 20:37:33.0854 AFD (e6a287e73f00ecb4cb0bc3f411113981) C:\Windows\system32\drivers\afd.sys
2010/08/02 20:37:33.0864 Suspicious file (Forged): C:\Windows\system32\drivers\afd.sys. Real md5: e6a287e73f00ecb4cb0bc3f411113981, Fake md5: ddc040fdb01ef1712a6b13e52afb104c
2010/08/02 20:37:33.0864 AFD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/02 20:37:34.0068 AgereSoftModem (7e10e3bb9b258ad8a9300f91214d67b9) C:\Windows\system32\DRIVERS\AGRSM.sys
2010/08/02 20:37:36.0378 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2010/08/02 20:37:37.0540 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2010/08/02 20:37:40.0200 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2010/08/02 20:37:41.0482 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2010/08/02 20:37:42.0382 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2010/08/02 20:37:45.0244 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2010/08/02 20:37:45.0374 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2010/08/02 20:37:48.0454 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2010/08/02 20:37:49.0756 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/08/02 20:37:53.0216 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2010/08/02 20:37:53.0770 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2010/08/02 20:37:54.0540 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2010/08/02 20:37:54.0940 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2010/08/02 20:38:02.0252 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\Windows\system32\drivers\aswFsBlk.sys
2010/08/02 20:38:06.0774 aswMonFlt (effc39a1edf04e83a42279d9daa696a7) C:\Windows\system32\drivers\aswMonFlt.sys
2010/08/02 20:38:06.0964 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\Windows\system32\drivers\aswRdr.sys
2010/08/02 20:38:07.0254 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\Windows\system32\drivers\aswSP.sys
2010/08/02 20:38:07.0534 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\Windows\system32\drivers\aswTdi.sys
2010/08/02 20:38:07.0624 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/02 20:38:07.0724 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2010/08/02 20:38:07.0884 AtiHdmiService (430449d04b05348879244c9090d405b4) C:\Windows\system32\drivers\AtiHdmi.sys
2010/08/02 20:38:08.0154 atikmdag (fcd4c95b1cb2a7dfbf8df5609c74734a) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/08/02 20:38:08.0534 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2010/08/02 20:38:08.0704 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2010/08/02 20:38:08.0914 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2010/08/02 20:38:09.0134 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/08/02 20:38:09.0364 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/02 20:38:09.0514 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/08/02 20:38:09.0624 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/08/02 20:38:09.0744 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2010/08/02 20:38:09.0964 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/08/02 20:38:10.0074 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/08/02 20:38:10.0164 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/08/02 20:38:10.0234 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/08/02 20:38:10.0344 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/02 20:38:10.0444 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/02 20:38:10.0574 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2010/08/02 20:38:10.0664 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2010/08/02 20:38:10.0774 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/08/02 20:38:10.0864 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2010/08/02 20:38:10.0954 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2010/08/02 20:38:11.0194 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2010/08/02 20:38:11.0294 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/08/02 20:38:11.0394 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/08/02 20:38:11.0524 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
2010/08/02 20:38:11.0724 ddcc (f02e199aa534d8b533b8deb1c192217d) C:\Windows\system32\ddcc.sys
2010/08/02 20:38:11.0724 Suspicious file (NoAccess): C:\Windows\system32\ddcc.sys. md5: f02e199aa534d8b533b8deb1c192217d
2010/08/02 20:38:11.0724 ddcc - detected Locked file (1)
2010/08/02 20:38:11.0864 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
2010/08/02 20:38:12.0074 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2010/08/02 20:38:12.0254 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2010/08/02 20:38:12.0434 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2010/08/02 20:38:12.0594 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/02 20:38:12.0994 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2010/08/02 20:38:13.0284 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2010/08/02 20:38:13.0404 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2010/08/02 20:38:13.0524 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2010/08/02 20:38:13.0634 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2010/08/02 20:38:13.0774 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/02 20:38:13.0904 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2010/08/02 20:38:14.0064 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2010/08/02 20:38:14.0194 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/02 20:38:14.0354 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2010/08/02 20:38:14.0464 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2010/08/02 20:38:14.0564 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/02 20:38:14.0724 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\Windows\system32\DRIVERS\fvevol.sys
2010/08/02 20:38:14.0874 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/08/02 20:38:14.0874 Suspicious service (NoAccess): gatvwoz
2010/08/02 20:38:15.0104 gatvwoz (b7e2234d097b9fdc827eaa8a8b559090) C:\Windows\system32\drivers\gatvwoz.sys
2010/08/02 20:38:15.0104 Suspicious file (NoAccess): C:\Windows\system32\drivers\gatvwoz.sys. md5: b7e2234d097b9fdc827eaa8a8b559090
2010/08/02 20:38:15.0104 gatvwoz - detected Locked service (1)
2010/08/02 20:38:15.0244 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/08/02 20:38:15.0544 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2010/08/02 20:38:15.0644 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
2010/08/02 20:38:15.0794 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/02 20:38:15.0874 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/08/02 20:38:16.0034 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2010/08/02 20:38:16.0174 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2010/08/02 20:38:16.0304 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2010/08/02 20:38:16.0534 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/08/02 20:38:16.0664 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2010/08/02 20:38:16.0814 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2010/08/02 20:38:16.0934 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/02 20:38:17.0064 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/08/02 20:38:17.0234 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2010/08/02 20:38:17.0414 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2010/08/02 20:38:17.0554 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/02 20:38:17.0754 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/02 20:38:17.0914 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/08/02 20:38:18.0024 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2010/08/02 20:38:18.0184 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2010/08/02 20:38:18.0294 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2010/08/02 20:38:18.0444 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/02 20:38:18.0584 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/02 20:38:18.0694 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/08/02 20:38:18.0914 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\Windows\system32\drivers\klmd.sys
2010/08/02 20:38:19.0044 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/02 20:38:19.0144 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
2010/08/02 20:38:19.0264 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/02 20:38:19.0514 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/08/02 20:38:19.0634 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/08/02 20:38:19.0744 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/08/02 20:38:19.0844 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/08/02 20:38:19.0934 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2010/08/02 20:38:20.0034 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2010/08/02 20:38:20.0144 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/08/02 20:38:20.0254 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2010/08/02 20:38:20.0404 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/02 20:38:21.0484 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/02 20:38:24.0366 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2010/08/02 20:38:26.0416 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2010/08/02 20:38:28.0188 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2010/08/02 20:38:30.0438 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/02 20:38:31.0838 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2010/08/02 20:38:31.0938 mrxsmb (f4a054be78af7f410129c4b64b07dc9b) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/02 20:38:32.0040 mrxsmb10 (deffa295bd1895c6ed8e3078412ac60b) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/02 20:38:35.0570 mrxsmb20 (24d76abe5dcad22f19d105f76fdf0ce1) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/02 20:38:36.0412 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2010/08/02 20:38:37.0912 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2010/08/02 20:38:40.0026 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2010/08/02 20:38:40.0628 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2010/08/02 20:38:42.0698 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/08/02 20:38:43.0990 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/02 20:38:46.0342 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/02 20:38:47.0924 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2010/08/02 20:38:48.0044 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2010/08/02 20:38:50.0754 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/02 20:38:51.0726 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2010/08/02 20:38:52.0806 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/08/02 20:38:54.0466 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2010/08/02 20:38:55.0768 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/02 20:38:58.0648 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2010/08/02 20:38:59.0850 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/08/02 20:39:01.0820 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/02 20:39:03.0892 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/02 20:39:06.0442 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/02 20:39:07.0514 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2010/08/02 20:39:07.0684 Netaapl (29c45722e20572b6440b57e3359e73ee) C:\Windows\system32\DRIVERS\netaapl.sys
2010/08/02 20:39:09.0614 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/02 20:39:12.0596 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/02 20:39:14.0758 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
2010/08/02 20:39:17.0710 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/08/02 20:39:18.0452 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2010/08/02 20:39:18.0602 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/02 20:39:22.0012 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2010/08/02 20:39:22.0314 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2010/08/02 20:39:25.0294 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/08/02 20:39:25.0976 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2010/08/02 20:39:28.0776 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/08/02 20:39:29.0918 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/02 20:39:33.0539 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2010/08/02 20:39:33.0881 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2010/08/02 20:39:34.0041 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2010/08/02 20:39:34.0181 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2010/08/02 20:39:34.0311 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2010/08/02 20:39:34.0431 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/08/02 20:39:34.0581 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2010/08/02 20:39:34.0721 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2010/08/02 20:39:34.0861 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/02 20:39:35.0071 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2010/08/02 20:39:35.0241 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/02 20:39:35.0471 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2010/08/02 20:39:35.0691 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/08/02 20:39:35.0781 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/02 20:39:35.0861 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/02 20:39:35.0951 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/08/02 20:39:36.0051 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/02 20:39:36.0164 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/02 20:39:36.0258 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/02 20:39:36.0367 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/02 20:39:36.0476 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/08/02 20:39:36.0570 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/02 20:39:36.0695 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
2010/08/02 20:39:36.0773 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/02 20:39:36.0882 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2010/08/02 20:39:36.0975 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2010/08/02 20:39:37.0147 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2010/08/02 20:39:37.0475 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/02 20:39:37.0615 RTL8167 (06bd46be6141556125f89df738333720) C:\Windows\system32\DRIVERS\Rt86win7.sys
2010/08/02 20:39:37.0724 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
2010/08/02 20:39:37.0943 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/08/02 20:39:38.0036 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2010/08/02 20:39:38.0317 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/08/02 20:39:38.0489 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2010/08/02 20:39:38.0598 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2010/08/02 20:39:38.0691 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2010/08/02 20:39:38.0832 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/08/02 20:39:38.0925 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/08/02 20:39:39.0113 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/08/02 20:39:39.0206 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/08/02 20:39:39.0315 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2010/08/02 20:39:39.0440 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/08/02 20:39:39.0534 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/08/02 20:39:39.0643 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2010/08/02 20:39:39.0737 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2010/08/02 20:39:39.0908 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
2010/08/02 20:39:39.0908 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2010/08/02 20:39:39.0924 sptd - detected Locked file (1)
2010/08/02 20:39:40.0064 srv (2ba4ebc7dfba845a1edbe1f75913be33) C:\Windows\system32\DRIVERS\srv.sys
2010/08/02 20:39:40.0189 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/02 20:39:40.0345 srvnet (b5665baa2120b8a54e22e9cd07c05106) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/02 20:39:40.0517 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2010/08/02 20:39:40.0704 STHDA (5af1feec6945f4fa5efd00e0c6d8f9b9) C:\Windows\system32\DRIVERS\stwrt.sys
2010/08/02 20:39:40.0813 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
2010/08/02 20:39:40.0907 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
2010/08/02 20:39:41.0063 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/02 20:39:41.0172 SynTP (6bef3acd6ee22eec55b68699e8aace09) C:\Windows\system32\DRIVERS\SynTP.sys
2010/08/02 20:39:41.0390 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
2010/08/02 20:39:41.0624 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/02 20:39:42.0139 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/02 20:39:42.0513 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2010/08/02 20:39:42.0638 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2010/08/02 20:39:42.0763 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/02 20:39:42.0903 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/02 20:39:43.0059 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/02 20:39:45.0368 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/02 20:39:47.0568 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2010/08/02 20:39:47.0693 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/02 20:39:47.0802 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/08/02 20:39:47.0927 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/02 20:39:50.0189 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2010/08/02 20:39:51.0655 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2010/08/02 20:39:53.0901 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/02 20:39:55.0305 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2010/08/02 20:39:56.0148 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/02 20:39:58.0425 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/02 20:39:59.0611 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2010/08/02 20:40:01.0904 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2010/08/02 20:40:02.0684 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/02 20:40:02.0778 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/02 20:40:03.0979 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\Windows\system32\Drivers\usbvideo.sys
2010/08/02 20:40:05.0867 UVCFTR (7b8424bbaafbc127c8f55ad6007d6d6b) C:\Windows\system32\Drivers\UVCFTR_S.SYS
2010/08/02 20:40:06.0615 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/08/02 20:40:06.0709 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/02 20:40:06.0865 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2010/08/02 20:40:08.0971 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/08/02 20:40:10.0063 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2010/08/02 20:40:10.0609 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2010/08/02 20:40:12.0216 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2010/08/02 20:40:14.0072 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
2010/08/02 20:40:14.0213 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
2010/08/02 20:40:15.0695 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/08/02 20:40:17.0567 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2010/08/02 20:40:17.0879 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2010/08/02 20:40:18.0003 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/08/02 20:40:19.0127 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2010/08/02 20:40:21.0357 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2010/08/02 20:40:21.0747 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/02 20:40:21.0779 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/02 20:40:24.0602 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2010/08/02 20:40:25.0242 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/02 20:40:27.0800 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/08/02 20:40:28.0752 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2010/08/02 20:40:29.0688 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUsb.sys
2010/08/02 20:40:31.0575 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/08/02 20:40:32.0792 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/02 20:40:32.0917 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2010/08/02 20:40:33.0198 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/02 20:40:33.0291 ================================================================================
2010/08/02 20:40:33.0291 Scan finished
2010/08/02 20:40:33.0291 ================================================================================
2010/08/02 20:40:33.0307 Detected object count: 4
2010/08/02 20:41:06.0956 AFD (e6a287e73f00ecb4cb0bc3f411113981) C:\Windows\system32\drivers\afd.sys
2010/08/02 20:41:06.0956 Suspicious file (Forged): C:\Windows\system32\drivers\afd.sys. Real md5: e6a287e73f00ecb4cb0bc3f411113981, Fake md5: ddc040fdb01ef1712a6b13e52afb104c
2010/08/02 20:41:07.0315 Backup copy found, using it..
2010/08/02 20:41:07.0315 C:\Windows\system32\drivers\afd.sys - will be cured after reboot
2010/08/02 20:41:07.0315 Rootkit.Win32.TDSS.tdl3(AFD) - User select action: Cure
2010/08/02 20:41:07.0331 Locked file(ddcc) - User select action: Skip
2010/08/02 20:41:07.0331 Locked service(gatvwoz) - User select action: Skip
2010/08/02 20:41:07.0331 Locked file(sptd) - User select action: Skip
2010/08/02 20:41:13.0742 Deinitialize success


and the mbr:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Gateway
BIOS Manufacturer: Gateway
System Manufacturer: Gateway
System Product Name: M-6850FX
Logical Drives Mask: 0x0000005c

Kernel Drivers (total 199):
0x82A0C000 \SystemRoot\system32\ntkrnlpa.exe
0x82E1C000 \SystemRoot\system32\halmacpi.dll
0x80BCF000 \SystemRoot\system32\kdcom.dll
0x8AE1B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8AE93000 \SystemRoot\system32\PSHED.dll
0x8AEA4000 \SystemRoot\system32\BOOTVID.dll
0x8AEAC000 \SystemRoot\system32\CLFS.SYS
0x8AEEE000 \SystemRoot\system32\CI.dll
0x8AF99000 \SystemRoot\system32\drivers\klmdb.sys
0x8B01E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8B08F000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8B09D000 \SystemRoot\System32\Drivers\spgq.sys
0x8B190000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x8B199000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x8AFA9000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8B1BF000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8B1C7000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8B1D2000 \SystemRoot\system32\DRIVERS\pci.sys
0x8B207000 \SystemRoot\System32\Drivers\gatvwoz.sys
0x8B2C9000 \SystemRoot\System32\drivers\partmgr.sys
0x8B2DA000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8B2E2000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8B2ED000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8B2FD000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B348000 \SystemRoot\system32\DRIVERS\intelide.sys
0x8B34F000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8B35D000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B373000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8B37C000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8B39F000 \SystemRoot\system32\DRIVERS\msahci.sys
0x8B3A9000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8B3B2000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B3E6000 \SystemRoot\system32\drivers\fileinfo.sys
0x8B402000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B531000 \SystemRoot\System32\Drivers\msrpc.sys
0x8B55C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8B56F000 \SystemRoot\System32\Drivers\cng.sys
0x8B5CC000 \SystemRoot\System32\drivers\pcw.sys
0x8B5DA000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8B614000 \SystemRoot\system32\drivers\ndis.sys
0x8B6CB000 \SystemRoot\system32\drivers\NETIO.SYS
0x8B709000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8B81F000 \SystemRoot\System32\drivers\tcpip.sys
0x8B968000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8B999000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8B9A2000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8B9E1000 \SystemRoot\System32\Drivers\spldr.sys
0x8B72E000 \SystemRoot\System32\drivers\rdyboost.sys
0x8B9E9000 \SystemRoot\System32\Drivers\mup.sys
0x8B800000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8B75B000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8B808000 \SystemRoot\system32\DRIVERS\disk.sys
0x8B78D000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8F808000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8F827000 \SystemRoot\System32\Drivers\Null.SYS
0x8F82E000 \SystemRoot\System32\Drivers\Beep.SYS
0x8F835000 \SystemRoot\System32\drivers\vga.sys
0x8F841000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F862000 \SystemRoot\System32\drivers\watchdog.sys
0x8F86F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8F877000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8F87F000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8F887000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8F892000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8F8A0000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F8B7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F8C2000 \??\C:\Windows\system32\ddcc.sys
0x8F8D8000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8F8E2000 \SystemRoot\system32\drivers\afd.sys
0x8F93C000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8F941000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F973000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8F97A000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F999000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F9A7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F9BA000 \SystemRoot\system32\DRIVERS\termdd.sys
0x90A16000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x90A57000 \SystemRoot\system32\drivers\nsiproxy.sys
0x90A61000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x90A6B000 \SystemRoot\System32\drivers\discache.sys
0x90A77000 \SystemRoot\system32\drivers\csc.sys
0x90ADB000 \SystemRoot\System32\Drivers\dfsc.sys
0x90AF3000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x90B01000 \SystemRoot\System32\Drivers\aswSP.SYS
0x90B28000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x90B49000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x90B5B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x90C2A000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x91406000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x914BD000 \SystemRoot\System32\drivers\dxgmms1.sys
0x914F6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x91515000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x91520000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x9156B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x9157A000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x95023000 \SystemRoot\system32\DRIVERS\netw5v32.sys
0x95436000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x9544E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x9545B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x95492000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x95494000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x954A1000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x954A7000 \SystemRoot\System32\Drivers\aqkxe5u2.SYS
0x954E0000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x954ED000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x954FF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x95517000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x95522000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x95544000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x9555C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x95573000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x9558A000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x95594000 \SystemRoot\system32\DRIVERS\swenum.sys
0x95596000 \SystemRoot\system32\DRIVERS\ks.sys
0x955CA000 \SystemRoot\system32\DRIVERS\umbus.sys
0x915B9000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x955D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x95000000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x91161000 \SystemRoot\system32\drivers\portcls.sys
0x91190000 \SystemRoot\system32\drivers\drmk.sys
0x90B5F000 \SystemRoot\system32\DRIVERS\stwrt.sys
0x96600000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x96706000 \SystemRoot\system32\drivers\modem.sys
0x97B40000 \SystemRoot\System32\win32k.sys
0x96713000 \SystemRoot\System32\drivers\Dxapi.sys
0x9671D000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9672A000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x96735000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x9673F000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x96750000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x96767000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9677E000 \SystemRoot\System32\Drivers\UVCFTR_S.SYS
0x96787000 \SystemRoot\System32\Drivers\usbvideo.sys
0x967AB000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97DA0000 \SystemRoot\System32\TSDDD.dll
0x97DD0000 \SystemRoot\System32\cdd.dll
0x97A00000 \SystemRoot\System32\ATMFD.DLL
0x967B6000 \SystemRoot\system32\drivers\luafv.sys
0x967D1000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x967E8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x911A9000 \SystemRoot\system32\drivers\WudfPf.sys
0x967EB000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8B7B2000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x955E9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x911C3000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x967FB000
0x9DC3A000 \SystemRoot\system32\drivers\HTTP.sys
0x9DCBF000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9DCD8000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9DCEA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9DD0D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9DD48000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9DD63000 \SystemRoot\system32\drivers\peauth.sys
0x9DC00000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9DC0A000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9DC2B000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA282D000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA287C000 \SystemRoot\System32\DRIVERS\srv.sys
0xA28CD000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x76F90000 \Windows\System32\ntdll.dll
0x48150000 \Windows\System32\smss.exe
0x771D0000 \Windows\System32\apisetschema.dll
0x001E0000 \Windows\System32\autochk.exe
0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll
0x77160000 \Windows\System32\shlwapi.dll
0x76340000 \Windows\System32\shell32.dll
0x77130000 \Windows\System32\imagehlp.dll
0x762A0000 \Windows\System32\advapi32.dll
0x77120000 \Windows\System32\normaliz.dll
0x761C0000 \Windows\System32\kernel32.dll
0x76020000 \Windows\System32\setupapi.dll
0x77110000 \Windows\System32\nsi.dll
0x75F20000 \Windows\System32\wininet.dll
0x75ED0000 \Windows\System32\gdi32.dll
0x77100000 \Windows\System32\lpk.dll
0x75E80000 \Windows\System32\Wldap32.dll
0x75DB0000 \Windows\System32\user32.dll
0x770E0000 \Windows\System32\imm32.dll
0x75D50000 \Windows\System32\difxapi.dll
0x75C10000 \Windows\System32\urlmon.dll
0x75B60000 \Windows\System32\rpcrt4.dll
0x75AE0000 \Windows\System32\comdlg32.dll
0x75AA0000 \Windows\System32\ws2_32.dll
0x770D0000 \Windows\System32\psapi.dll
0x759F0000 \Windows\System32\msvcrt.dll
0x75890000 \Windows\System32\ole32.dll
0x757F0000 \Windows\System32\usp10.dll
0x75760000 \Windows\System32\oleaut32.dll
0x756D0000 \Windows\System32\clbcatq.dll
0x754D0000 \Windows\System32\iertutil.dll
0x754B0000 \Windows\System32\sechost.dll
0x753E0000 \Windows\System32\msctf.dll
0x75390000 \Windows\System32\KernelBase.dll
0x75370000 \Windows\System32\devobj.dll
0x75340000 \Windows\System32\cfgmgr32.dll
0x75220000 \Windows\System32\crypt32.dll
0x75190000 \Windows\System32\comctl32.dll
0x75160000 \Windows\System32\wintrust.dll
0x75150000 \Windows\System32\msasn1.dll

Processes (total 54):
0 System Idle Process
4 System
292 C:\Windows\System32\smss.exe
392 csrss.exe
476 csrss.exe
484 C:\Windows\System32\wininit.exe
532 C:\Windows\System32\winlogon.exe
580 C:\Windows\System32\services.exe
588 C:\Windows\System32\lsass.exe
596 C:\Windows\System32\lsm.exe
692 C:\Windows\System32\svchost.exe
776 C:\Windows\System32\svchost.exe
824 C:\Windows\System32\atiesrxx.exe
936 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1084 C:\Windows\System32\audiodg.exe
1152 C:\Windows\System32\svchost.exe
1212 C:\Windows\System32\atieclxx.exe
1344 C:\Windows\System32\svchost.exe
1420 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1576 C:\Windows\System32\dwm.exe
1592 C:\Windows\explorer.exe
1932 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1940 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
2044 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
400 C:\Program Files\Common Files\Java\Java Update\jusched.exe
412 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
372 C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
480 C:\Program Files\iTunes\iTunesHelper.exe
1072 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1520 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
928 C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
2404 C:\Windows\System32\spoolsv.exe
2432 C:\Windows\System32\taskhost.exe
2440 C:\Windows\System32\svchost.exe
2472 C:\Program Files\Alwil Software\Avast5\Setup\avast.setup
2560 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2612 C:\Program Files\Bonjour\mDNSResponder.exe
2656 C:\Windows\System32\svchost.exe
2696 C:\Windows\System32\svchost.exe
2748 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3008 C:\Program Files\iPod\bin\iPodService.exe
3044 C:\Windows\System32\SearchIndexer.exe
3184 WUDFHost.exe
3552 C:\Program Files\Windows Media Player\wmpnetwk.exe
3640 C:\Windows\System32\SearchProtocolHost.exe
3936 C:\Windows\System32\svchost.exe
3964 WmiPrvSE.exe
4068 C:\Windows\System32\SearchFilterHost.exe
2880 C:\Users\Oni Laptop\Desktop\MBRCheck.exe
2264 C:\Windows\System32\conhost.exe
3424 C:\Windows\System32\dllhost.exe
2256 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-22ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!


awaiting next step!

shelf life
2010-08-03, 04:24
ok good. Looks like TDSSkiller removed some goodies. It will also only remove '"known malacious objects." thats why that one file was skipped.

Lets get another download to use. Its called combofix. there is a guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

dnbsoulr
2010-08-03, 06:04
I wasnt in the room watching it while it ran, how'd it do?




ComboFix 10-08-02.01 - Oni Laptop 08/02/2010 22:42:59.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2221 [GMT -4:00]
Running from: c:\users\Oni Laptop\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\%appdata%
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\i1.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\i2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\i3.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\j1.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\j2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\j3.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\jj1.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\jj2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\jj3.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\l1.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\l2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\l3.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\pix.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\t1.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\t2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\Thumbs.db
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\up1.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\up2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\w11.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\w2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\w3.jpg
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\word.doc
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\wt1.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\wt2.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\images\wt3.gif
c:\windows\system32\config\systemprofile\AppData\Roaming\scdata\wispex.html
c:\windows\system32\config\systemprofile\AppData\Roaming\skynet.dat
c:\windows\system32\config\systemprofile\AppData\Roaming\wp3.dat
c:\windows\system32\config\systemprofile\AppData\Roaming\wp4.dat
c:\windows\system32\rwecp.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-03 02:51 . 2010-08-03 02:51 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-08-03 02:49 . 2010-08-03 02:52 -------- d-----w- c:\users\Oni Laptop\AppData\Local\temp
2010-08-03 02:49 . 2010-08-03 02:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-03 02:35 . 2010-08-03 02:35 -------- d-----w- C:\32788R22FWJFW
2010-07-24 04:50 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-24 04:50 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-24 04:50 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-24 04:50 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-24 04:50 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-07-24 04:49 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-24 04:49 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-24 04:49 . 2010-07-24 04:49 -------- d-----w- c:\programdata\Alwil Software
2010-07-24 04:49 . 2010-07-24 04:49 -------- d-----w- c:\program files\Alwil Software
2010-07-15 18:54 . 2010-07-15 18:54 -------- d-----w- c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}
2010-07-15 17:22 . 2010-07-15 17:22 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Xzexobuhog.bin
2010-07-15 17:22 . 2010-07-15 17:22 120 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Dfokezocijezow.dat
2010-07-15 17:22 . 2010-07-15 17:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}
2010-07-15 05:33 . 2008-05-06 20:03 221239 ----a-w- c:\windows\system32\stacsv.exe
2010-07-15 05:33 . 2008-05-06 20:01 442433 ----a-w- c:\windows\sttray.exe
2010-07-15 05:33 . 2008-05-06 20:01 2469888 ----a-w- c:\windows\system32\stlang.dll
2010-07-15 05:33 . 2008-05-06 20:00 512000 ----a-w- c:\windows\system32\idtmini1.exe
2010-07-15 05:33 . 2008-05-06 20:02 164352 ----a-w- c:\windows\system32\staco.dll
2010-07-15 05:32 . 2008-05-06 20:04 379904 ----a-w- c:\windows\system32\drivers\stwrt.sys
2010-07-15 05:32 . 2008-05-06 20:04 344576 ----a-w- c:\windows\system32\stcplx.dll
2010-07-15 05:32 . 2008-05-06 20:03 580608 ----a-w- c:\windows\system32\stapo.dll
2010-07-15 05:32 . 2008-05-06 20:01 404480 ----a-w- c:\windows\system32\stapi32.dll
2010-07-15 05:32 . 2010-07-15 05:33 -------- d-----w- c:\program files\IDT
2010-07-15 05:32 . 2010-07-15 05:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\program files\iPod
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\program files\iTunes
2010-07-08 18:45 . 2010-07-08 18:45 -------- d-----w- c:\program files\QuickTime
2010-07-04 07:08 . 2010-07-16 17:33 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Sysinternals Antivirus
2010-07-04 07:08 . 2010-07-04 07:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 00:42 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-02 16:25 . 2010-02-18 22:15 -------- d-----w- c:\users\Oni Laptop\AppData\Roaming\vlc
2010-07-24 19:50 . 2010-07-01 07:06 -------- d-----w- c:\programdata\NOS
2010-07-24 15:39 . 2010-05-23 10:13 -------- d-----r- c:\program files\Skype
2010-07-22 08:35 . 2010-01-28 20:56 -------- d-----w- c:\program files\CamStudio
2010-07-16 06:25 . 2010-07-15 17:20 -------- d-----w- c:\programdata\Update
2010-07-15 17:20 . 2010-07-15 17:20 74752 ----a-w- c:\windows\system32\ddcc.sys
2010-07-15 05:32 . 2010-04-23 05:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-08 19:02 . 2010-06-28 14:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2010-07-08 18:47 . 2010-01-24 16:40 -------- d-----w- c:\program files\Common Files\Apple
2010-07-08 18:43 . 2010-01-24 16:41 -------- d-----w- c:\program files\Bonjour
2010-07-08 18:41 . 2010-07-08 18:41 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 01:28 . 2010-01-22 20:57 59608 ----a-w- c:\users\Oni Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-11 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

R3 ALSysIO;ALSysIO;c:\users\ONILAP~1\AppData\Local\Temp\ALSysIO.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2009-08-29 17408]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-01-25 691696]
S1 aswSP;aswSP; [x]
S1 ddcc;ddcc;c:\windows\system32\ddcc.sys [2010-07-15 74752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 172032]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-12-19 249888]


--- Other Services/Drivers In Memory ---

*Deregistered* - gatvwoz
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
FF - ProfilePath - c:\users\Oni Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\3v64owpj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: XULRunner: {C7D61D9E-DEEA-4A4F-BB93-151892FF691B} - c:\windows\system32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}\
FF - HiddenExtension: XULRunner: {488126AF-526A-47F2-86E5-9245FF66FAFE} - c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



[HKEY_LOCAL_MACHINE\system\ControlSet001\services\gatvwoz]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-08-02 22:57:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-03 02:57

Pre-Run: 226,959,777,792 bytes free
Post-Run: 226,857,095,168 bytes free

- - End Of File - - 494DCD6C1F3104C770E16537658732FD

shelf life
2010-08-04, 00:16
it did ok. Hows the redirects and slow internet now? Run Avast once more and see if it still flags the gatvwoz process you mentioned.

dnbsoulr
2010-08-04, 02:13
i ran avast, it is still picking up gatvwoz as a rootkit.

the computer is still doing the redirects and disconnecting from the internet and slow speeds.

also i get errors when trying to perform windows update, and i dont know if something is blocking it or its because of the disconnects from the internet.


things seemed to be running really nice and fast for like 15 min after running combofix, but its back to doing what it was before.

whats next?

shelf life
2010-08-04, 04:17
ok. We will use combofix.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:


File::
c:\windows\system32\ddcc.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\services\gatvwoz]

Driver::
ddcc
gatvwoz


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

dnbsoulr
2010-08-04, 05:02
ok, i might have messed up.

i forgot to disable avast before running combofix, and it popped up during the end of the combofix run saying it detected gatvwoz as a rootkit.

not sure if that effected anything, so ill just post my log and let you call me an idiot and then tell me whats next

hope i didnt ruin it!

log:
ComboFix 10-08-02.01 - Oni Laptop 08/03/2010 21:45:07.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2392 [GMT -4:00]
Running from: c:\users\Oni Laptop\Desktop\ComboFix.exe
Command switches used :: c:\users\Oni Laptop\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\system32\ddcc.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\ddcc.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DDCC
-------\Legacy_GATVWOZ
-------\Service_ddcc
-------\Service_gatvwoz


((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-04 01:51 . 2010-08-04 01:53 -------- d-----w- c:\users\Oni Laptop\AppData\Local\temp
2010-08-04 01:51 . 2010-08-04 01:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-08-04 01:51 . 2010-08-04 01:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-04 01:51 . 2010-08-04 01:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-04 01:43 . 2010-08-04 01:43 -------- d-----w- C:\32788R22FWJFW
2010-08-03 20:28 . 2010-08-03 20:28 -------- d-----w- C:\TDSSKiller_Quarantine
2010-08-03 20:26 . 2010-08-03 20:26 69456 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-07-24 04:50 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-24 04:50 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-24 04:50 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-24 04:50 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-24 04:50 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-07-24 04:49 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-24 04:49 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-24 04:49 . 2010-07-24 04:49 -------- d-----w- c:\programdata\Alwil Software
2010-07-24 04:49 . 2010-07-24 04:49 -------- d-----w- c:\program files\Alwil Software
2010-07-15 18:54 . 2010-07-15 18:54 -------- d-----w- c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}
2010-07-15 17:22 . 2010-07-15 17:22 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Xzexobuhog.bin
2010-07-15 17:22 . 2010-07-15 17:22 120 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Dfokezocijezow.dat
2010-07-15 17:22 . 2010-07-15 17:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}
2010-07-15 17:22 . 2010-08-04 01:52 768000 ----a-w- c:\windows\system32\drivers\gatvwoz.sys
2010-07-15 17:20 . 2010-07-16 07:53 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\umefyktxq
2010-07-15 17:20 . 2010-07-16 06:25 -------- d-----w- c:\programdata\Update
2010-07-15 05:33 . 2008-05-06 20:03 221239 ----a-w- c:\windows\system32\stacsv.exe
2010-07-15 05:33 . 2008-05-06 20:01 442433 ----a-w- c:\windows\sttray.exe
2010-07-15 05:33 . 2008-05-06 20:01 2469888 ----a-w- c:\windows\system32\stlang.dll
2010-07-15 05:33 . 2008-05-06 20:00 512000 ----a-w- c:\windows\system32\idtmini1.exe
2010-07-15 05:33 . 2008-05-06 20:02 164352 ----a-w- c:\windows\system32\staco.dll
2010-07-15 05:32 . 2008-05-06 20:04 379904 ----a-w- c:\windows\system32\drivers\stwrt.sys
2010-07-15 05:32 . 2008-05-06 20:04 344576 ----a-w- c:\windows\system32\stcplx.dll
2010-07-15 05:32 . 2008-05-06 20:03 580608 ----a-w- c:\windows\system32\stapo.dll
2010-07-15 05:32 . 2008-05-06 20:01 404480 ----a-w- c:\windows\system32\stapi32.dll
2010-07-15 05:32 . 2010-07-15 05:33 -------- d-----w- c:\program files\IDT
2010-07-15 05:32 . 2010-07-15 05:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\program files\iPod
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\program files\iTunes
2010-07-08 18:45 . 2010-07-08 18:45 -------- d-----w- c:\program files\QuickTime
2010-07-08 18:41 . 2010-07-08 18:41 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 00:42 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-02 16:25 . 2010-02-18 22:15 -------- d-----w- c:\users\Oni Laptop\AppData\Roaming\vlc
2010-07-24 19:50 . 2010-07-01 07:06 -------- d-----w- c:\programdata\NOS
2010-07-24 15:39 . 2010-05-23 10:13 -------- d-----r- c:\program files\Skype
2010-07-22 08:35 . 2010-01-28 20:56 -------- d-----w- c:\program files\CamStudio
2010-07-16 17:33 . 2010-07-04 07:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Sysinternals Antivirus
2010-07-15 05:32 . 2010-04-23 05:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-08 19:02 . 2010-06-28 14:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2010-07-08 18:47 . 2010-01-24 16:40 -------- d-----w- c:\program files\Common Files\Apple
2010-07-08 18:43 . 2010-01-24 16:41 -------- d-----w- c:\program files\Bonjour
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 01:28 . 2010-01-22 20:57 59608 ----a-w- c:\users\Oni Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-11 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

R3 ALSysIO;ALSysIO;c:\users\ONILAP~1\AppData\Local\Temp\ALSysIO.sys [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 172032]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
FF - ProfilePath - c:\users\Oni Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\3v64owpj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: XULRunner: {C7D61D9E-DEEA-4A4F-BB93-151892FF691B} - c:\windows\system32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}\
FF - HiddenExtension: XULRunner: {488126AF-526A-47F2-86E5-9245FF66FAFE} - c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmd24.sys


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-08-03 21:58:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-04 01:58
ComboFix2.txt 2010-08-03 02:57

Pre-Run: 226,367,909,888 bytes free
Post-Run: 226,143,272,960 bytes free

- - End Of File - - 16B1F5E163D9EDE5EDFC0487D28D1DA9

shelf life
2010-08-05, 02:07
ok good. we will use combofix again like before

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
c:\windows\system32\drivers\gatvwoz.sys
c:\windows\system32\config\systemprofile\AppData\Local\Xzexobuhog.bin
c:\windows\system32\config\systemprofile\AppData\Local\Dfokezocijezow.dat
c:\windows\system32\config\systemprofile\AppData\Local\umefyktxq

Folder::
c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}
c:\windows\system32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}

Driver::
gatvwoz


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

See if the redirects are gone after the above

dnbsoulr
2010-08-05, 03:37
everything seems to be running smoothly now!

and i am able to run windows update as well now, im going to install all of my updates right now!

here is the combofix log. is there anything else i should do?

i would also suppose now would be a good time to create a new system restore point hm?





ComboFix 10-08-02.01 - Oni Laptop 08/04/2010 20:24:12.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2144 [GMT -4:00]
Running from: c:\users\Oni Laptop\Desktop\ComboFix.exe
Command switches used :: c:\users\Oni Laptop\Desktop\cfscript.txt

FILE ::
"c:\windows\system32\config\systemprofile\AppData\Local\Dfokezocijezow.dat"
"c:\windows\system32\config\systemprofile\AppData\Local\umefyktxq"
"c:\windows\system32\config\systemprofile\AppData\Local\Xzexobuhog.bin"
"c:\windows\system32\drivers\gatvwoz.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}
c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}\chrome.manifest
c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}\chrome\content\_cfg.js
c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}\chrome\content\overlay.xul
c:\users\Oni Laptop\AppData\Local\{488126AF-526A-47F2-86E5-9245FF66FAFE}\install.rdf
c:\windows\System32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}
c:\windows\System32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}\chrome.manifest
c:\windows\System32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}\chrome\content\_cfg.js
c:\windows\system32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}\chrome\content\overlay.xul
c:\windows\system32\config\systemprofile\AppData\Local\{C7D61D9E-DEEA-4A4F-BB93-151892FF691B}\install.rdf
c:\windows\system32\config\systemprofile\AppData\Local\Dfokezocijezow.dat
c:\windows\system32\config\systemprofile\AppData\Local\Xzexobuhog.bin
c:\windows\system32\drivers\gatvwoz.sys

.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 00:29 . 2010-08-05 00:29 -------- d-----w- c:\users\Oni Laptop\AppData\Local\temp
2010-08-05 00:29 . 2010-08-05 00:29 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-08-05 00:29 . 2010-08-05 00:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-05 00:29 . 2010-08-05 00:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-05 00:22 . 2010-08-05 00:23 -------- d-----w- C:\32788R22FWJFW
2010-08-04 05:30 . 2010-08-04 05:30 -------- d-----w- C:\SWSETUP
2010-08-03 20:28 . 2010-08-03 20:28 -------- d-----w- C:\TDSSKiller_Quarantine
2010-08-03 20:26 . 2010-08-03 20:26 69456 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-07-24 04:50 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-24 04:50 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-24 04:50 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-24 04:50 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-24 04:50 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-07-24 04:49 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-24 04:49 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-24 04:49 . 2010-07-24 04:49 -------- d-----w- c:\programdata\Alwil Software
2010-07-24 04:49 . 2010-07-24 04:49 -------- d-----w- c:\program files\Alwil Software
2010-07-15 17:20 . 2010-07-16 07:53 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\umefyktxq
2010-07-15 17:20 . 2010-07-16 06:25 -------- d-----w- c:\programdata\Update
2010-07-15 05:33 . 2008-05-06 20:03 221239 ----a-w- c:\windows\system32\stacsv.exe
2010-07-15 05:33 . 2008-05-06 20:01 442433 ----a-w- c:\windows\sttray.exe
2010-07-15 05:33 . 2008-05-06 20:01 2469888 ----a-w- c:\windows\system32\stlang.dll
2010-07-15 05:33 . 2008-05-06 20:00 512000 ----a-w- c:\windows\system32\idtmini1.exe
2010-07-15 05:33 . 2008-05-06 20:02 164352 ----a-w- c:\windows\system32\staco.dll
2010-07-15 05:32 . 2008-05-06 20:04 379904 ----a-w- c:\windows\system32\drivers\stwrt.sys
2010-07-15 05:32 . 2008-05-06 20:04 344576 ----a-w- c:\windows\system32\stcplx.dll
2010-07-15 05:32 . 2008-05-06 20:03 580608 ----a-w- c:\windows\system32\stapo.dll
2010-07-15 05:32 . 2008-05-06 20:01 404480 ----a-w- c:\windows\system32\stapi32.dll
2010-07-15 05:32 . 2010-07-15 05:33 -------- d-----w- c:\program files\IDT
2010-07-15 05:32 . 2010-07-15 05:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\program files\iPod
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-08 18:47 . 2010-07-08 18:47 -------- d-----w- c:\program files\iTunes
2010-07-08 18:45 . 2010-07-08 18:45 -------- d-----w- c:\program files\QuickTime
2010-07-08 18:41 . 2010-07-08 18:41 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 00:42 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-02 16:25 . 2010-02-18 22:15 -------- d-----w- c:\users\Oni Laptop\AppData\Roaming\vlc
2010-07-24 19:50 . 2010-07-01 07:06 -------- d-----w- c:\programdata\NOS
2010-07-24 15:39 . 2010-05-23 10:13 -------- d-----r- c:\program files\Skype
2010-07-22 08:35 . 2010-01-28 20:56 -------- d-----w- c:\program files\CamStudio
2010-07-16 17:33 . 2010-07-04 07:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Sysinternals Antivirus
2010-07-15 05:32 . 2010-04-23 05:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-08 19:02 . 2010-06-28 14:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2010-07-08 18:47 . 2010-01-24 16:40 -------- d-----w- c:\program files\Common Files\Apple
2010-07-08 18:43 . 2010-01-24 16:41 -------- d-----w- c:\program files\Bonjour
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 01:28 . 2010-01-22 20:57 59608 ----a-w- c:\users\Oni Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-11 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

R3 ALSysIO;ALSysIO;c:\users\ONILAP~1\AppData\Local\Temp\ALSysIO.sys [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 172032]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
FF - ProfilePath - c:\users\Oni Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\3v64owpj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-08-04 20:32:26
ComboFix-quarantined-files.txt 2010-08-05 00:32
ComboFix2.txt 2010-08-04 01:58
ComboFix3.txt 2010-08-03 02:57

Pre-Run: 224,591,212,544 bytes free
Post-Run: 224,299,753,472 bytes free

- - End Of File - - 21DD737476F51AF751BA24D6AE0A60BF

shelf life
2010-08-05, 04:02
everything seems to be running smoothly now!
good.

Please check malwarebytes for updates, do a full scan and post its log:

click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

After that then we will remove some of the tools we used and yes make a new system restore point.