DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 21:20:41 on 2012-01-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.270 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\All Users\Documents\Norton\{3A7FA539-8005-4603-87D2-SOS1-NSS-v5}\Norton_Download_Manager[1].exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.prisonplanet.com/
uSearch Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Norton Download Manager{3A7FA539-8005-4603-87D2-SOS1-NSS-v5}] c:\documents and settings\all users\documents\norton\{3a7fa539-8005-4603-87d2-sos1-nss-v5}\Norton_Download_Manager[1].exe /m
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Drag'n Drop CD] c:\program files\drag'n drop cd\binfiles\DragDrop.exe /StartUp
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Installer] "c:\program files\checkpoint\install\launcher.exe" "c:\program files\checkpoint\install\install.exe" /r download /c "c:\program files\checkpoint\install\Install.xml" /l /w
mRun: [AGRSMMSG] AGRSMMSG.exe
dRun: [ctfmon.exe] ctfmon.exe
dRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9ADF5A28-6FA4-49BE-A8CA-D43D53EC830C} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-4-12 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-12 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-12 486280]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-11 40776]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2012-01-12 02:59:31 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-12 00:54:33 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-01-10 04:10:16 -------- d-----w- c:\windows\Options
2012-01-10 03:07:09 -------- d-----w- c:\program files\CheckPoint
2012-01-10 01:13:58 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-10 01:13:33 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-10 01:13:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 01:13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-04 01:05:44 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Apple
2012-01-04 01:05:11 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Apple Computer
2012-01-04 00:05:53 -------- d-----w- c:\program files\VideoLAN
2011-12-14 01:24:05 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2011-12-14 01:24:02 186880 ------w- c:\windows\system32\dllcache\encdec.dll
2011-12-14 01:23:29 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-12-14 01:23:26 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-12-14 01:23:26 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
.
==================== Find3M ====================
.
2011-12-28 23:37:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:19:40 919552 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:19:40 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:19:40 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-01 16:05:38 1289216 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22:34 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34:49 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01:01 385024 ----a-w- c:\windows\system32\html.iec
2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:12:37 186880 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85DB249F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85db9738]; MOV EAX, [0x85db98ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8694CAB8]
3 CLASSPNP[0xF74E7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000076[0x869C0F18]
5 ACPI[0xF7317620] -> nt!IofCallDriver[0x804E37D5] -> [0x8697B940]
\Driver\atapi[0x85EAB768] -> IRP_MJ_CREATE -> 0x85DB249F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85DB22C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:23:27.18 ===============

Heres the other report:

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR



Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

Here is scan. Infected computer started doing crazy things after reboot. It won't let me into C/: except for program files and then only shows zone alarm. It want's to run a scan to fix host of problems: cannot read hard drive, bad sectors, slow HD speed, High HD speed, memory overspeed, Hard drive clusters are partly damaged. Segment olad failure etc. to name a few. It seems to want me to buy a program to fix these problems. Computer does not show any programs i.e. internet explorer. So I copied the scan file and and sending it on another laptop. Here it is;

08:44:53.0930 2624 TDSS rootkit removing tool 2.7.5.0 Jan 18 2012 09:26:24
08:44:55.0402 2624 ============================================================
08:44:55.0402 2624 Current date / time: 2012/01/19 08:44:55.0402
08:44:55.0402 2624 SystemInfo:
08:44:55.0402 2624
08:44:55.0402 2624 OS Version: 5.1.2600 ServicePack: 3.0
08:44:55.0402 2624 Product type: Workstation
08:44:55.0402 2624 ComputerName: HASSELCOMPUTER
08:44:55.0402 2624 UserName: Administrator
08:44:55.0402 2624 Windows directory: C:\WINDOWS
08:44:55.0402 2624 System windows directory: C:\WINDOWS
08:44:55.0402 2624 Processor architecture: Intel x86
08:44:55.0402 2624 Number of processors: 1
08:44:55.0402 2624 Page size: 0x1000
08:44:55.0402 2624 Boot type: Normal boot
08:44:55.0402 2624 ============================================================
08:44:59.0638 2624 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:44:59.0668 2624 Initialize success
08:45:15.0411 3536 ============================================================
08:45:15.0411 3536 Scan started
08:45:15.0411 3536 Mode: Manual;
08:45:15.0411 3536 ============================================================
08:45:16.0863 3536 Abiosdsk - ok
08:45:16.0903 3536 abp480n5 - ok
08:45:16.0963 3536 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:45:16.0973 3536 ACPI - ok
08:45:17.0153 3536 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:45:17.0153 3536 ACPIEC - ok
08:45:17.0364 3536 adpu160m - ok
08:45:17.0494 3536 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:45:17.0504 3536 aec - ok
08:45:17.0694 3536 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys
08:45:17.0704 3536 AFD - ok
08:45:18.0075 3536 AgereSoftModem (55188b7c84a4c5e73e0680f744c4561d) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
08:45:18.0145 3536 AgereSoftModem - ok
08:45:18.0415 3536 Aha154x - ok
08:45:18.0595 3536 aic78u2 - ok
08:45:18.0685 3536 aic78xx - ok
08:45:18.0886 3536 AliIde - ok
08:45:18.0906 3536 amsint - ok
08:45:18.0996 3536 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:45:18.0996 3536 Arp1394 - ok
08:45:19.0176 3536 asc - ok
08:45:19.0366 3536 asc3350p - ok
08:45:19.0396 3536 asc3550 - ok
08:45:19.0487 3536 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
08:45:19.0487 3536 Aspi32 - ok
08:45:19.0647 3536 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:45:19.0647 3536 AsyncMac - ok
08:45:19.0897 3536 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:45:19.0897 3536 atapi - ok
08:45:20.0108 3536 Atdisk - ok
08:45:20.0448 3536 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:45:20.0458 3536 Atmarpc - ok
08:45:20.0678 3536 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:45:20.0678 3536 audstub - ok
08:45:20.0899 3536 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:45:20.0909 3536 Beep - ok
08:45:21.0169 3536 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:45:21.0179 3536 cbidf2k - ok
08:45:21.0419 3536 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:45:21.0419 3536 CCDECODE - ok
08:45:21.0580 3536 cd20xrnt - ok
08:45:21.0680 3536 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:45:21.0690 3536 Cdaudio - ok
08:45:21.0860 3536 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:45:21.0880 3536 Cdfs - ok
08:45:22.0080 3536 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:45:22.0090 3536 Cdrom - ok
08:45:22.0351 3536 Changer - ok
08:45:22.0441 3536 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:45:22.0441 3536 CmBatt - ok
08:45:22.0581 3536 CmdIde - ok
08:45:22.0711 3536 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:45:22.0711 3536 Compbatt - ok
08:45:22.0791 3536 Cpqarray - ok
08:45:22.0932 3536 dac2w2k - ok
08:45:22.0992 3536 dac960nt - ok
08:45:23.0122 3536 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
08:45:23.0152 3536 Disk - ok
08:45:23.0492 3536 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:45:23.0532 3536 dmboot - ok
08:45:23.0733 3536 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:45:23.0743 3536 dmio - ok
08:45:23.0943 3536 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:45:23.0953 3536 dmload - ok
08:45:24.0173 3536 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:45:24.0203 3536 DMusic - ok
08:45:24.0364 3536 dpti2o - ok
08:45:24.0434 3536 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:45:24.0444 3536 drmkaud - ok
08:45:24.0674 3536 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
08:45:24.0684 3536 exFat - ok
08:45:24.0884 3536 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:45:24.0884 3536 Fastfat - ok
08:45:25.0085 3536 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:45:25.0095 3536 Fdc - ok
08:45:25.0445 3536 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:45:25.0445 3536 Fips - ok
08:45:25.0625 3536 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:45:25.0635 3536 Flpydisk - ok
08:45:25.0856 3536 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:45:25.0866 3536 FltMgr - ok
08:45:26.0076 3536 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:45:26.0076 3536 Fs_Rec - ok
08:45:26.0477 3536 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:45:26.0487 3536 Ftdisk - ok
08:45:26.0777 3536 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:45:26.0777 3536 Gpc - ok
08:45:26.0967 3536 hpn - ok
08:45:27.0118 3536 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
08:45:27.0128 3536 HTTP - ok
08:45:27.0338 3536 i2omgmt - ok
08:45:27.0488 3536 i2omp - ok
08:45:27.0598 3536 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:45:27.0598 3536 i8042prt - ok
08:45:27.0809 3536 ialm (1b49ec451363cbbf8d0549d4fd78072c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
08:45:27.0819 3536 ialm - ok
08:45:28.0039 3536 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:45:28.0039 3536 Imapi - ok
08:45:28.0620 3536 ini910u - ok
08:45:28.0850 3536 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
08:45:28.0850 3536 IntelIde - ok
08:45:29.0040 3536 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:45:29.0050 3536 intelppm - ok
08:45:29.0471 3536 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:45:29.0481 3536 Ip6Fw - ok
08:45:29.0691 3536 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:45:29.0691 3536 IpFilterDriver - ok
08:45:29.0922 3536 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:45:29.0922 3536 IpInIp - ok
08:45:30.0162 3536 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:45:30.0162 3536 IpNat - ok
08:45:30.0763 3536 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:45:30.0763 3536 IPSec - ok
08:45:30.0983 3536 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
08:45:30.0993 3536 irda - ok
08:45:31.0213 3536 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:45:31.0223 3536 IRENUM - ok
08:45:31.0494 3536 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:45:31.0504 3536 isapnp - ok
08:45:31.0794 3536 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:45:31.0794 3536 Kbdclass - ok
08:45:31.0995 3536 kl1 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\kl1.sys
08:45:32.0005 3536 kl1 - ok
08:45:32.0335 3536 KLIF (a11c971434468fa05815eec8228d63fd) C:\WINDOWS\system32\DRIVERS\klif.sys
08:45:32.0345 3536 KLIF - ok
08:45:32.0535 3536 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:45:32.0545 3536 kmixer - ok
08:45:32.0806 3536 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
08:45:32.0816 3536 KSecDD - ok
08:45:32.0996 3536 lbrtfdc - ok
08:45:33.0216 3536 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:45:33.0226 3536 mnmdd - ok
08:45:33.0607 3536 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:45:33.0607 3536 Modem - ok
08:45:33.0877 3536 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:45:33.0887 3536 Mouclass - ok
08:45:34.0118 3536 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
08:45:34.0118 3536 MountMgr - ok
08:45:34.0378 3536 mraid35x - ok
08:45:34.0488 3536 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
08:45:34.0488 3536 MREMP50 - ok
08:45:34.0528 3536 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
08:45:34.0528 3536 MRESP50 - ok
08:45:34.0769 3536 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:45:34.0769 3536 MRxDAV - ok
08:45:34.0999 3536 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:45:35.0019 3536 MRxSmb - ok
08:45:35.0219 3536 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:45:35.0229 3536 Msfs - ok
08:45:35.0420 3536 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:45:35.0420 3536 MSKSSRV - ok
08:45:35.0530 3536 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:45:35.0530 3536 MSPCLOCK - ok
08:45:35.0660 3536 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:45:35.0660 3536 MSPQM - ok
08:45:35.0820 3536 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:45:35.0820 3536 mssmbios - ok
08:45:36.0040 3536 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:45:36.0040 3536 MSTEE - ok
08:45:36.0321 3536 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
08:45:36.0321 3536 Mup - ok
08:45:36.0531 3536 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:45:36.0531 3536 NABTSFEC - ok
08:45:36.0852 3536 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:45:36.0862 3536 NDIS - ok
08:45:37.0062 3536 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:45:37.0062 3536 NdisIP - ok
08:45:37.0412 3536 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:45:37.0412 3536 NdisTapi - ok
08:45:37.0753 3536 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:45:37.0753 3536 Ndisuio - ok
08:45:37.0983 3536 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:45:37.0993 3536 NdisWan - ok
08:45:38.0224 3536 NDProxy (816460bd4b4acd27937d1d0813e2e9e9) C:\WINDOWS\system32\drivers\NDProxy.sys
08:45:38.0244 3536 NDProxy - ok
08:45:38.0584 3536 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:45:38.0584 3536 NetBIOS - ok
08:45:38.0844 3536 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:45:38.0854 3536 NetBT - ok
08:45:39.0105 3536 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:45:39.0115 3536 NIC1394 - ok
08:45:39.0335 3536 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:45:39.0345 3536 Npfs - ok
08:45:39.0606 3536 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
08:45:39.0626 3536 Ntfs - ok
08:45:39.0816 3536 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:45:39.0836 3536 Null - ok
08:45:40.0046 3536 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:45:40.0056 3536 NwlnkFlt - ok
08:45:40.0317 3536 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:45:40.0337 3536 NwlnkFwd - ok
08:45:40.0577 3536 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:45:40.0577 3536 ohci1394 - ok
08:45:40.0857 3536 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:45:40.0877 3536 Parport - ok
08:45:41.0098 3536 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:45:41.0108 3536 PartMgr - ok
08:45:41.0418 3536 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:45:41.0418 3536 ParVdm - ok
08:45:41.0648 3536 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:45:41.0658 3536 PCI - ok
08:45:41.0909 3536 PCIDump - ok
08:45:42.0059 3536 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:45:42.0059 3536 PCIIde - ok
08:45:42.0189 3536 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:45:42.0199 3536 Pcmcia - ok
08:45:42.0430 3536 PDCOMP - ok
08:45:42.0510 3536 PDFRAME - ok
08:45:42.0650 3536 PDRELI - ok
08:45:42.0810 3536 PDRFRAME - ok
08:45:42.0840 3536 perc2 - ok
08:45:42.0860 3536 perc2hib - ok
08:45:43.0161 3536 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:45:43.0161 3536 PptpMiniport - ok
08:45:43.0471 3536 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
08:45:43.0481 3536 PSched - ok
08:45:43.0611 3536 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:45:43.0621 3536 Ptilink - ok
08:45:43.0731 3536 PxHelp20 (42d4c34300405d9f377e55f5ddadd720) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
08:45:43.0741 3536 PxHelp20 - ok
08:45:43.0912 3536 ql1080 - ok
08:45:43.0962 3536 Ql10wnt - ok
08:45:43.0992 3536 ql12160 - ok
08:45:44.0022 3536 ql1240 - ok
08:45:44.0052 3536 ql1280 - ok
08:45:44.0102 3536 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:45:44.0102 3536 RasAcd - ok
08:45:44.0523 3536 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
08:45:44.0533 3536 Rasirda - ok
08:45:44.0713 3536 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:45:44.0723 3536 Rasl2tp - ok
08:45:44.0943 3536 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:45:44.0973 3536 RasPppoe - ok
08:45:45.0194 3536 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:45:45.0204 3536 Raspti - ok
08:45:45.0624 3536 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:45:45.0634 3536 Rdbss - ok
08:45:45.0824 3536 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:45:45.0824 3536 RDPCDD - ok
08:45:45.0965 3536 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:45:45.0985 3536 rdpdr - ok
08:45:46.0105 3536 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys
08:45:46.0115 3536 RDPWD - ok
08:45:46.0405 3536 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:45:46.0415 3536 redbook - ok
08:45:46.0666 3536 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
08:45:46.0676 3536 RTL8023xp - ok
08:45:46.0936 3536 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:45:46.0936 3536 Secdrv - ok
08:45:47.0186 3536 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:45:47.0186 3536 serenum - ok
08:45:47.0487 3536 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
08:45:47.0487 3536 Serial - ok
08:45:47.0707 3536 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:45:47.0707 3536 Sfloppy - ok
08:45:47.0948 3536 Si3112 (f459dd5ee69d4b68cb6767c9731b5faf) C:\WINDOWS\system32\drivers\Si3112.sys
08:45:47.0958 3536 Si3112 - ok
08:45:48.0148 3536 Simbad - ok
08:45:48.0418 3536 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:45:48.0418 3536 SLIP - ok
08:45:48.0709 3536 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
08:45:48.0719 3536 SMCIRDA - ok
08:45:48.0889 3536 Sparrow - ok
08:45:49.0119 3536 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:45:49.0119 3536 splitter - ok
08:45:49.0560 3536 sptd (ca9a2690a2b53662565654b48f7ae68f) C:\WINDOWS\System32\Drivers\sptd.sys
08:45:49.0560 3536 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: ca9a2690a2b53662565654b48f7ae68f
08:45:49.0570 3536 sptd ( LockedFile.Multi.Generic ) - warning
08:45:49.0570 3536 sptd - detected LockedFile.Multi.Generic (1)
08:45:49.0810 3536 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:45:49.0820 3536 Sr - ok
08:45:50.0101 3536 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
08:45:50.0121 3536 Srv - ok
08:45:50.0401 3536 STAC97 (94958b68384bb931f571cd35bb65028d) C:\WINDOWS\system32\drivers\STAC97.sys
08:45:50.0411 3536 STAC97 - ok
08:45:50.0641 3536 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:45:50.0651 3536 streamip - ok
08:45:50.0862 3536 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:45:50.0872 3536 swenum - ok
08:45:51.0142 3536 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:45:51.0142 3536 swmidi - ok
08:45:51.0453 3536 symc810 - ok
08:45:51.0543 3536 symc8xx - ok
08:45:51.0653 3536 sym_hi - ok
08:45:51.0863 3536 sym_u3 - ok
08:45:52.0003 3536 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:45:52.0003 3536 sysaudio - ok
08:45:52.0364 3536 Tcpip (474d3dccb57defcd917311eec47204b9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:45:52.0384 3536 Tcpip - ok
08:45:52.0564 3536 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:45:52.0564 3536 TDPIPE - ok
08:45:52.0744 3536 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
08:45:52.0744 3536 TDTCP - ok
08:45:52.0995 3536 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:45:53.0005 3536 TermDD - ok
08:45:53.0205 3536 TosIde - ok
08:45:53.0546 3536 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:45:53.0566 3536 Udfs - ok
08:45:53.0716 3536 ultra - ok
08:45:53.0816 3536 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
08:45:53.0816 3536 UnlockerDriver5 - ok
08:45:54.0046 3536 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:45:54.0066 3536 Update - ok
08:45:54.0487 3536 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:45:54.0487 3536 usbccgp - ok
08:45:54.0717 3536 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:45:54.0717 3536 usbehci - ok
08:45:54.0948 3536 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:45:54.0958 3536 usbhub - ok
08:45:55.0168 3536 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:45:55.0168 3536 usbscan - ok
08:45:55.0558 3536 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:45:55.0558 3536 USBSTOR - ok
08:45:55.0799 3536 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:45:55.0809 3536 usbuhci - ok
08:45:56.0039 3536 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
08:45:56.0039 3536 usbvideo - ok
08:45:56.0450 3536 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:45:56.0460 3536 VgaSave - ok
08:45:56.0630 3536 ViaIde - ok
08:45:56.0960 3536 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:45:56.0971 3536 VolSnap - ok
08:45:57.0141 3536 vsdatant (1045d05bbd5170565927d7653346c961) C:\WINDOWS\system32\vsdatant.sys
08:45:57.0161 3536 vsdatant - ok
08:45:57.0712 3536 w70n51 (8e5cf571c00c806ed7c08dbb74356646) C:\WINDOWS\system32\DRIVERS\w70n51.sys
08:45:57.0732 3536 w70n51 - ok
08:45:57.0952 3536 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:45:57.0962 3536 Wanarp - ok
08:45:58.0132 3536 WDICA - ok
08:45:58.0312 3536 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:45:58.0312 3536 wdmaud - ok
08:45:58.0593 3536 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:45:58.0593 3536 WSTCODEC - ok
08:45:58.0793 3536 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:45:58.0803 3536 WudfPf - ok
08:45:59.0023 3536 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:45:59.0033 3536 WudfRd - ok
08:45:59.0364 3536 {6080A529-897E-4629-A488-ABA0C29B635E} (a7ab6e6fcb5d9276160d9998593638e3) C:\WINDOWS\system32\drivers\ialmsbw.sys
08:45:59.0384 3536 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
08:45:59.0614 3536 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d9c1c60a4e414052e30dbb2800f0893a) C:\WINDOWS\system32\drivers\ialmkchw.sys
08:45:59.0634 3536 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
08:45:59.0664 3536 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
08:45:59.0684 3536 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
08:45:59.0684 3536 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
08:45:59.0704 3536 Boot (0x1200) (ca4c82ff5ce81bf5e3b095fdd0b5f4fa) \Device\Harddisk0\DR0\Partition0
08:45:59.0704 3536 \Device\Harddisk0\DR0\Partition0 - ok
08:45:59.0714 3536 ============================================================
08:45:59.0714 3536 Scan finished
08:45:59.0714 3536 ============================================================
08:45:59.0744 3532 Detected object count: 2
08:45:59.0744 3532 Actual detected object count: 2
08:48:01.0650 3532 sptd ( LockedFile.Multi.Generic ) - skipped by user
08:48:01.0650 3532 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
08:48:01.0680 3532 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
08:48:01.0690 3532 \Device\Harddisk0\DR0 - ok
08:48:01.0690 3532 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
08:48:12.0325 2528 Deinitialize success

Looks like your Hard disk is infected , possibly the Master boot Record. What you have is fairly new and appears to cause some damage upon its removal.

See if you can run this program, you can download it via a known clean computer and transfer by disk to the infected one.

Just want to point out also that this is a very serious infection, even when its cleaned it could leave your computer compromised, what that means is it can never be trusted to do any online transactions. I would strongly suggest that you reformat this drive and reinstall windows


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Did as instructed, back on infected machine now. Boot was normal, can access files on HD. Here's the combo fix txt log:

ComboFix 12-01-19.01 - Administrator 01/19/2012 12:11:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.640 [GMT -6:00]
Running from: E:\ComboFix.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\Desktop\System Check.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
C:\Documents and Settings\All Users\Application Data\~CI7L91pcnJdaiT
C:\Documents and Settings\All Users\Application Data\~CI7L91pcnJdaiTr
C:\Documents and Settings\All Users\Application Data\CI7L91pcnJdaiT
C:\Documents and Settings\All Users\Application Data\CI7L91pcnJdaiT.exe
C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe
C:\Program Files\Toolbar


((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))


2012-01-12 03:19:24 . 2012-01-12 03:19:34 -------- d--h--w- C:\Program Files\ERUNT
2012-01-12 00:54:33 . 2012-01-19 14:30:05 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Norton
2012-01-10 04:10:16 . 2012-01-10 04:10:16 -------- d--h--w- C:\WINDOWS\Options
2012-01-10 03:07:09 . 2012-01-12 00:41:30 -------- d--h--w- C:\Program Files\CheckPoint
2012-01-10 01:13:58 . 2012-01-10 01:13:58 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13:33 . 2012-01-10 01:13:33 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13:23 . 2011-12-10 21:24:06 20464 ---ha-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-01-10 01:13:20 . 2012-01-10 01:13:46 -------- d--h--w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-07 18:17:40 . 2012-01-07 18:17:40 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2012-01-07 03:00:49 . 2012-01-10 02:27:37 -------- d--h--w- C:\WINDOWS\Sun
2012-01-04 01:11:52 . 2012-01-04 16:52:55 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06:37 . 2012-01-04 01:06:37 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2012-01-04 01:06:04 . 2012-01-04 01:06:04 -------- d--h--w- C:\Program Files\Common Files\Apple
2012-01-04 01:05:44 . 2012-01-04 01:05:44 -------- d--h--w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05:38 . 2012-01-04 01:05:39 -------- d--h--w- C:\Program Files\Apple Software Update
2012-01-04 01:05:38 . 2012-01-04 01:05:38 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Apple
2012-01-04 01:05:11 . 2012-01-04 01:05:11 -------- d--h--w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14:05 . 2012-01-04 00:14:05 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\vlc
2012-01-04 00:05:53 . 2012-01-04 00:22:39 -------- d--h--w- C:\Program Files\VideoLAN
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-28 23:37:14 . 2011-06-02 15:24:06 414368 ---ha-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 . 2010-12-31 12:14:45 1868544 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-11-04 19:19:40 . 2011-04-10 17:19:32 1469440 ---ha-w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 19:19:40 . 2010-12-20 22:58:53 919552 ---ha-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:19:40 . 2010-12-20 22:58:52 43520 ---ha-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-01 16:05:38 . 2010-07-16 11:04:26 1289216 ---ha-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:00 . 2010-12-09 13:29:00 33280 ---ha-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-26 00:22:34 . 2010-12-10 01:39:28 2069376 ---ha-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-25 13:34:49 . 2010-12-09 12:43:18 2192768 ---ha-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:01:01 . 2010-12-20 11:29:19 385024 ---ha-w- C:\WINDOWS\system32\html.iec
2011-10-24 20:29:02 . 2011-10-24 20:29:02 94208 ---ha-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 . 2011-10-24 20:29:02 69632 ---ha-w- C:\WINDOWS\system32\QuickTime.qts
2011-11-24 02:12:46 . 2011-04-12 22:46:38 134104 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-03-09 07:29:49 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009 (xpsp_sp3_qfe.100708-1621)] . . C:\WINDOWS\system32\drivers\tcpip.sys
[7] 2008-06-20 11:59:02 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\system32\dllcache\tcpip.sys



C:\WINDOWS\System32\spoolsv.exe ... is missing !!
C:\WINDOWS\System32\wscntfy.exe ... is missing !!

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-10-13 14:27:14 17351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-05-29 09:14:24 114688]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 22:39:40 1037192]
"IJNetworkScanUtility"="C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 06:11:28 206240]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 17:55:28 937920]
"Drag'n Drop CD"="C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 19:36:18 802816]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 01:29:26 40960]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 17:53:08 2567272]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 13:22:28 59240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2011-10-24 20:28:52 421888]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 04:17:54 87751]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 11:00:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 19:32:48 128512]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Contents of the 'Scheduled Tasks' folder

2012-01-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57:16 . 2011-06-01 23:57:16]


------- Supplementary Scan -------

uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/

- - - - ORPHANS REMOVED - - - -

HKLM-Run-ZoneAlarm Installer - C:\Program Files\CheckPoint\Install\Launcher.exe
HKLM-Run-QimMTimICgL.exe - C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe
HKU-Default-Run-IDMan - C:\Program Files\Internet Download Manager\IDMan.exe
AddRemove-File Download ActiveX - C:\WINDOWS\system32\uninst.exe

Great,

We have some things to fix and I need to go over your CF log real close, in the meantime do this please.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
spoolsv.exe
wscntfy.exe


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt




Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Cannot run System Look. I'm getting an error: Box pops up saying "System Look error, script required"

Here is Malware scan log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.19.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HASSELCOMPUTER [administrator]

1/19/2012 1:16:59 PM
mbam-log-2012-01-19 (13-16-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 163739
Time elapsed: 10 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Are you entering this script ?

:filefind
spoolsv.exe
wscntfy.exe


If it still doesn't work than drag it to the trash and redownload it from the second location

No sorry I wasn't entering the scrip :oops:

Had to reboot, got the "blue" screen. Tried again, windows loaded however the virus is back, I began losing control as before.

Should I run comboFix again?

Go ahead and run Combofix again, but I am leaning towards your Master Boot Record being infected, lets see if CF will calm things down, run it this time with this script, I may be getting ahead of myself here but since your system is in such bad shape we need to forge ahead.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Fcopy::




FCopy::
C:\WINDOWS\system32\dllcache\spoolsv.exe | C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\dllcache\wscntfy.exe | C:\WINDOWS\System32\wscntfy.exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Ran combo fix again regained conrol typing this from infected computer;

Here's the system look file:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:19 on 19/01/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "spoolsv.exe "
No files found.

Searching for "wscntfy.exe"
No files found.

-= EOF =-


Here's a new ComboFix log:

ComboFix 12-01-19.01 - Administrator 01/19/2012 15:53:08.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.605 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Desktop\System Check.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Check
c:\documents and settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\All Users\Application Data\~O6tIpy5tsgasDA
c:\documents and settings\All Users\Application Data\~O6tIpy5tsgasDAr
c:\documents and settings\All Users\Application Data\O6tIpy5tsgasDA
c:\documents and settings\All Users\Application Data\O6tIpy5tsgasDA.exe
c:\documents and settings\All Users\Application Data\QimMTimICgL.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\system32\wbem\snmp
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\system32\xircom
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\srchasst
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\program files\microsoft frontpage
2012-01-12 03:19 . 2012-01-12 03:19 -------- d--h--w- c:\program files\ERUNT
2012-01-12 00:54 . 2012-01-19 14:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Norton
2012-01-10 04:10 . 2012-01-10 04:10 -------- d--h--w- c:\windows\Options
2012-01-10 03:07 . 2012-01-12 00:41 -------- d--h--w- c:\program files\CheckPoint
2012-01-10 01:13 . 2012-01-10 01:13 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13 . 2012-01-10 01:13 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13 . 2011-12-10 21:24 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 01:13 . 2012-01-19 19:14 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 18:17 . 2012-01-07 18:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-07 03:00 . 2012-01-10 02:27 -------- d--h--w- c:\windows\Sun
2012-01-04 01:11 . 2012-01-04 16:52 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06 . 2012-01-04 01:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-01-04 01:06 . 2012-01-04 01:06 -------- d--h--w- c:\program files\Common Files\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\program files\Apple Software Update
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14 . 2012-01-04 00:14 -------- d--h--w- c:\documents and settings\Administrator\Application Data\vlc
2012-01-04 00:05 . 2012-01-04 00:22 -------- d--h--w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 23:37 . 2011-06-02 15:24 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29 . 2010-12-31 12:14 1868544 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:19 . 2011-04-10 17:19 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:19 . 2010-12-20 22:58 919552 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:19 . 2010-12-20 22:58 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-11-01 16:05 . 2010-07-16 11:04 1289216 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-12-09 13:29 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22 . 2010-12-10 01:39 2069376 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34 . 2010-12-09 12:43 2192768 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01 . 2010-12-20 11:29 385024 ---ha-w- c:\windows\system32\html.iec
2011-10-24 20:29 . 2011-10-24 20:29 94208 ---ha-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29 . 2011-10-24 20:29 69632 ---ha-w- c:\windows\system32\QuickTime.qts
2011-11-24 02:12 . 2011-04-12 22:46 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-09 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-05-29 114688]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 1037192]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Drag'n Drop CD"="c:\program files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 802816]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2567272]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ZoneAlarm Installer"="c:\program files\CheckPoint\Install\Launcher.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 87751]
"QimMTimICgL.exe"="c:\documents and settings\All Users\Application Data\QimMTimICgL.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/
.
Supplementary scan did not complete!
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 16:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8653E2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-1708537768-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,60,6b,99,02,8d,f6,41,ba,7b,09,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-19 16:15:42
ComboFix-quarantined-files.txt 2012-01-19 22:15
.
Pre-Run: 31,502,401,536 bytes free
Post-Run: 31,717,122,048 bytes free
.
- - End Of File - - 3B44C7210C318E00AB7566C65A499000

Had to run combofix per the first method to get control again: Now I'm going to re run it per the CFScript

Here is the new ComboFix running the CFScript as you requested:





ComboFix 12-01-19.01 - Administrator 01/19/2012 16:39:15.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.510 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt


((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))


2012-01-19 18:39:47 . 2012-01-19 18:39:47 -------- d-----w- C:\WINDOWS\system32\wbem\snmp
2012-01-19 18:39:45 . 2012-01-19 18:39:45 -------- d-----w- C:\WINDOWS\system32\xircom
2012-01-19 18:39:45 . 2012-01-19 18:39:45 -------- d-----w- C:\WINDOWS\srchasst
2012-01-19 18:39:41 . 2012-01-19 18:39:41 -------- d-----w- C:\Program Files\microsoft frontpage
2012-01-12 03:19:24 . 2012-01-12 03:19:34 -------- d-----w- C:\Program Files\ERUNT
2012-01-12 00:54:33 . 2012-01-19 14:30:05 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Norton
2012-01-10 04:10:16 . 2012-01-10 04:10:16 -------- d-----w- C:\WINDOWS\Options
2012-01-10 03:07:09 . 2012-01-12 00:41:30 -------- d-----w- C:\Program Files\CheckPoint
2012-01-10 01:13:58 . 2012-01-10 01:13:58 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13:33 . 2012-01-10 01:13:33 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13:23 . 2011-12-10 21:24:06 20464 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-01-10 01:13:20 . 2012-01-19 19:14:22 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-07 18:17:40 . 2012-01-07 18:17:40 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2012-01-07 03:00:49 . 2012-01-10 02:27:37 -------- d-----w- C:\WINDOWS\Sun
2012-01-04 01:11:52 . 2012-01-04 16:52:55 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06:37 . 2012-01-04 01:06:37 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2012-01-04 01:06:04 . 2012-01-04 01:06:04 -------- d-----w- C:\Program Files\Common Files\Apple
2012-01-04 01:05:44 . 2012-01-04 01:05:44 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05:38 . 2012-01-04 01:05:39 -------- d-----w- C:\Program Files\Apple Software Update
2012-01-04 01:05:38 . 2012-01-04 01:05:38 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple
2012-01-04 01:05:11 . 2012-01-04 01:05:11 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14:05 . 2012-01-04 00:14:05 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\vlc
2012-01-04 00:05:53 . 2012-01-04 00:22:39 -------- d-----w- C:\Program Files\VideoLAN
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-28 23:37:14 . 2011-06-02 15:24:06 414368 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 . 2010-12-31 12:14:45 1868544 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-11-04 19:19:40 . 2011-04-10 17:19:32 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 19:19:40 . 2010-12-20 22:58:53 919552 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:19:40 . 2010-12-20 22:58:52 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-01 16:05:38 . 2010-07-16 11:04:26 1289216 ----a-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:00 . 2010-12-09 13:29:00 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-26 00:22:34 . 2010-12-10 01:39:28 2069376 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-25 13:34:49 . 2010-12-09 12:43:18 2192768 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:01:01 . 2010-12-20 11:29:19 385024 ----a-w- C:\WINDOWS\system32\html.iec
2011-10-24 20:29:02 . 2011-10-24 20:29:02 94208 ----a-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 . 2011-10-24 20:29:02 69632 ----a-w- C:\WINDOWS\system32\QuickTime.qts
2011-11-24 02:12:46 . 2011-04-12 22:46:38 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-03-09 07:29:49 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009 (xpsp_sp3_qfe.100708-1621)] . . C:\WINDOWS\system32\drivers\tcpip.sys
[7] 2008-06-20 11:59:02 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\system32\dllcache\tcpip.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-10-13 14:27:14 17351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-05-29 09:14:24 114688]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 22:39:40 1037192]
"IJNetworkScanUtility"="C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 06:11:28 206240]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"Drag'n Drop CD"="C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 19:36:18 802816]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 01:29:26 40960]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 17:53:08 2567272]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 13:22:28 59240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2011-10-24 20:28:52 421888]
"ZoneAlarm Installer"="C:\Program Files\CheckPoint\Install\Launcher.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 04:17:54 87751]
"QimMTimICgL.exe"="C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 11:00:00 15360]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 19:32:48 128512]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Contents of the 'Scheduled Tasks' folder

2012-01-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57:16 . 2011-06-01 23:57:16]


------- Supplementary Scan -------

uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/


**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 16:51:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8653E2C6
user & kernel MBR OK

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1708537768-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,60,6b,99,02,8d,f6,41,ba,7b,09,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
C:\WINDOWS\system32\WININET.dll

- - - - - - - > 'lsass.exe'(624)
C:\WINDOWS\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1008)
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\WPDShServiceObj.dll
C:\WINDOWS\system32\PortableDeviceTypes.dll
C:\WINDOWS\system32\PortableDeviceApi.dll

Completion time: 2012-01-19 16:56:03
ComboFix-quarantined-files.txt 2012-01-19 22:55:55
ComboFix2.txt 2012-01-19 22:15:47

Pre-Run: 31,727,501,312 bytes free
Post-Run: 31,728,074,752 bytes free

- - End Of File - - 808F38E2297609360DB5C8FB44571F01

Lets check your Master Boot Record

Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0x867CB000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF7357000 sptd.sys
0xF7987000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF733F000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7311000 ACPI.sys
0xF7300000 pci.sys
0xF7487000 ohci1394.sys
0xF7497000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF74A7000 isapnp.sys
0xF789F000 compbatt.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF72E2000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF72C3000 ftdisk.sys
0xF798B000 dmload.sys
0xF729D000 dmio.sys
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF7285000 atapi.sys
0xF726F000 Si3112.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF724F000 fltMgr.sys
0xF723D000 sr.sys
0xF78A7000 PxHelp20.sys
0xF7226000 KSecDD.sys
0xF7199000 Ntfs.sys
0xF716C000 NDIS.sys
0xF7152000 Mup.sys
0xF6C32000 kl1.sys
0xF7717000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF7677000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF64A2000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF648E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF646A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77BF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF644A000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF63A5000 \SystemRoot\system32\DRIVERS\w70n51.sys
0xF7687000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7697000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7943000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\smcirda.sys
0xF7947000 \SystemRoot\system32\DRIVERS\irenum.sys
0xF6391000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF636E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF633C000 \SystemRoot\system32\drivers\STAC97.sys
0xF6318000 \SystemRoot\system32\drivers\portcls.sys
0xF76F7000 \SystemRoot\system32\drivers\drmk.sys
0xF61FD000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF77D7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF795B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7AB8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xF7507000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF795F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF61E6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7517000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7527000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF61D4000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7537000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6104000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7547000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A15000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF607E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7973000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7567000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEDFC2000 \SystemRoot\system32\drivers\ialmkchw.sys
0xEDFA5000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF7587000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A1F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEDEDA000 \SystemRoot\system32\DRIVERS\klif.sys
0xF64C0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7AEE000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A21000 \SystemRoot\System32\Drivers\Beep.SYS
0xF780F000 \SystemRoot\System32\drivers\vga.sys
0xF7A23000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A25000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7817000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF781F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF64BC000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEDE7F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDE26000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEDDFE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDD6E000 \SystemRoot\System32\vsdatant.sys
0xF793F000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEDD48000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEDD26000 \SystemRoot\System32\drivers\afd.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEDCFB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDC8B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF75B7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7607000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEDC4B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A29000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF605A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF782F000 \SystemRoot\System32\watchdog.sys
0xBE000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B74000 \SystemRoot\System32\drivers\dxgthk.sys
0xBE020000 \SystemRoot\System32\ialmdnt5.dll
0xBE012000 \SystemRoot\System32\ialmrnt5.dll
0xBE042000 \SystemRoot\System32\ialmdev5.DLL
0xBE072000 \SystemRoot\System32\ialmdd5.DLL
0xF7617000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7627000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEC679000 \SystemRoot\system32\DRIVERS\irda.sys
0xEC85F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEC394000 \SystemRoot\system32\drivers\wdmaud.sys
0xEC707000 \SystemRoot\system32\drivers\sysaudio.sys
0xEC24A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79F7000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEC405000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xEC1A2000 \SystemRoot\system32\DRIVERS\srv.sys
0xEBB21000 \SystemRoot\System32\Drivers\HTTP.sys
0xEB827000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF79D1000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF7867000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
0xEB39C000
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 21):
0 System Idle Process
4 System
464 C:\WINDOWS\system32\smss.exe
532 csrss.exe
564 C:\WINDOWS\system32\winlogon.exe
612 C:\WINDOWS\system32\services.exe
624 C:\WINDOWS\system32\lsass.exe
784 C:\WINDOWS\system32\svchost.exe
1252 svchost.exe
1296 C:\WINDOWS\system32\svchost.exe
1504 svchost.exe
1672 svchost.exe
1552 svchost.exe
1532 C:\Program Files\Common Files\Motive\McciCMService.exe
272 C:\WINDOWS\system32\svchost.exe
1080 C:\WINDOWS\system32\hkcmd.exe
676 C:\WINDOWS\AGRSMMSG.exe
1860 alg.exe
2836 C:\WINDOWS\system32\svchost.exe
1008 C:\WINDOWS\explorer.exe
2124 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHI_DK23EA-40, Rev: 00K3A0A6

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

See if this program will run and post the log please


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 18:30:56
-----------------------------
18:30:56.230 OS Version: Windows 5.1.2600 Service Pack 3
18:30:56.230 Number of processors: 1 586 0x905
18:30:56.230 ComputerName: HASSELCOMPUTER UserName: Administrator
18:30:57.041 Initialize success
18:31:20.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:31:20.635 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
18:31:20.635 Device \Driver\atapi -> DriverStartIo 8653e2c6
18:31:20.655 Disk 0 MBR read successfully
18:31:20.655 Disk 0 MBR scan
18:31:20.655 Disk 0 TDL4@MBR code has been found
18:31:20.655 Disk 0 Windows XP default MBR code found via API
18:31:20.665 Disk 0 MBR hidden
18:31:20.665 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
18:31:20.665 Disk 0 MBR [TDL4] **ROOTKIT**
18:31:20.665 Disk 0 trace - called modules:
18:31:20.665 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8653e49f]<<
18:31:20.675 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86942ab8]
18:31:20.675 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x869f4f18]
18:31:20.995 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> [0x86989940]
18:31:20.995 \Driver\atapi[0x86662248] -> IRP_MJ_CREATE -> 0x8653e49f
18:31:20.995 Scan finished successfully
18:31:39.121 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:31:39.131 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

What I need you to do is to zip this file and attach it in your next reply, I am going to have one of the MBR experts check it . It was dumped on your desktop when you ran aswMBR

Desktop\MBR.dat <--This file



Then do this


Re-Run aswMBR

Click Scan

On completion of the scan

Click Fix

http://public.avast.com/~gmerek/aswMBR3.png



Save the log as before and post in your next reply

Hard to move locations and then reboot. Ran combofix again. have regained control of computer, I shouldn't have to move again. heres the zip file.

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 18:30:56
-----------------------------
18:30:56.230 OS Version: Windows 5.1.2600 Service Pack 3
18:30:56.230 Number of processors: 1 586 0x905
18:30:56.230 ComputerName: HASSELCOMPUTER UserName: Administrator
18:30:57.041 Initialize success
18:31:20.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:31:20.635 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
18:31:20.635 Device \Driver\atapi -> DriverStartIo 8653e2c6
18:31:20.655 Disk 0 MBR read successfully
18:31:20.655 Disk 0 MBR scan
18:31:20.655 Disk 0 TDL4@MBR code has been found
18:31:20.655 Disk 0 Windows XP default MBR code found via API
18:31:20.665 Disk 0 MBR hidden
18:31:20.665 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
18:31:20.665 Disk 0 MBR [TDL4] **ROOTKIT**
18:31:20.665 Disk 0 trace - called modules:
18:31:20.665 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8653e49f]<<
18:31:20.675 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86942ab8]
18:31:20.675 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x869f4f18]
18:31:20.995 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> [0x86989940]
18:31:20.995 \Driver\atapi[0x86662248] -> IRP_MJ_CREATE -> 0x8653e49f
18:31:20.995 Scan finished successfully
18:31:39.121 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:31:39.131 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 22:49:20
-----------------------------
22:49:20.871 OS Version: Windows 5.1.2600 Service Pack 3
22:49:20.871 Number of processors: 1 586 0x905
22:49:20.871 ComputerName: HASSELCOMPUTER UserName: Administrator
22:49:24.475 Initialize success
22:50:02.697 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:50:02.697 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
22:50:02.697 Device \Driver\atapi -> DriverStartIo 8658c2c6
22:50:02.697 Disk 0 MBR read successfully
22:50:02.697 Disk 0 MBR scan
22:50:02.707 Disk 0 TDL4@MBR code has been found
22:50:02.707 Disk 0 Windows XP default MBR code found via API
22:50:02.707 Disk 0 MBR hidden
22:50:02.727 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
22:50:02.727 Disk 0 MBR [TDL4] **ROOTKIT**
22:50:02.727 Disk 0 trace - called modules:
22:50:02.727 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8658c49f]<<
22:50:02.727 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86942ab8]
22:50:02.727 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x869f4f18]
22:50:03.058 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> [0x86989940]
22:50:03.058 \Driver\atapi[0x8683c430] -> IRP_MJ_CREATE -> 0x8658c49f
22:50:03.068 Scan finished successfully
22:50:08.033 Disk 0 MBR read successfully
22:50:08.043 Disk 0 TDL4@MBR code has been found
22:50:08.053 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
22:50:08.053 Disk 0 fixing MBR ...
22:50:08.053 Disk 0 MBR restored successfully
22:50:08.063 Verifying disinfection
22:50:20.107 Infection fixed successfully - please reboot ASAP
22:50:31.549 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
22:50:31.559 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

Go ahead and reboot and run aswMBR and post the NEW log please

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-20 06:14:00
-----------------------------
06:14:00.665 OS Version: Windows 5.1.2600 Service Pack 3
06:14:00.665 Number of processors: 1 586 0x905
06:14:00.665 ComputerName: HASSELCOMPUTER UserName: Administrator
06:14:01.967 Initialize success
06:14:10.119 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
06:14:10.129 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
06:14:10.229 Disk 0 MBR read successfully
06:14:10.229 Disk 0 MBR scan
06:14:10.229 Disk 0 Windows XP default MBR code
06:14:10.229 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
06:14:10.239 Disk 0 scanning sectors +78124095
06:14:10.529 Disk 0 scanning C:\WINDOWS\system32\drivers
06:14:27.794 Service scanning
06:14:28.525 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
06:14:28.555 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
06:14:29.086 Modules scanning
06:14:40.232 Disk 0 trace - called modules:
06:14:40.242 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS rdbss.sys
06:14:40.563 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86985ab8]
06:14:40.563 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x86986f18]
06:14:40.563 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86984940]
06:14:40.573 Scan finished successfully
06:14:50.136 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
06:14:50.146 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

Your new log looks fine now , how is your system behaving ?

Everything seems to be OK I can shutdown and restart normally. Do you the the system and HD drive is clean now?

Zone alarm file seems to be corrupted, it may be my fault since I tried to do an uninstall before getting on line with you. I need to clean off the rest of the files for it since I'm going to be using a different AV and firewall.

Lets check this file and make sure its ok

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\WINDOWS\system32\drivers\tcpip.sys <--This file

If the site is busy you can try this one
http://virusscan.jotti.org/en





Then run TDSSKiller again and make sure you post the NEW log please

The "here" link to instruct windows to show all file and folders takes me to bleeping computer.com ???

Disregard, I figured it out.

Yes it does, and its one of the better malware removal forums. The link its taking you to will have instructions for your Operating System to show all files and folders

The scan from VirusTotal was ok herel the result:

SHA256: 1187559016b58539b1e58144146b8c76dfc448c2b35360ce35a148335e86f225
SHA1: 4792b0335a85df90ccfd2cffe9e1e0e6e9c87de5
MD5: 474d3dccb57defcd917311eec47204b9
File size: 353.1 KB ( 361600 bytes )
File type: Win32 EXE
Detection ratio: 0 / 41
Analysis date: 2012-01-20 17:35:49 UTC ( 4 minutes ago )


***************************************

Scan fromTDSSKiller











11:55:24.0881 1732 TDSS rootkit removing tool 2.7.5.0 Jan 18 2012 09:26:24
11:55:36.0347 1732 ============================================================
11:55:36.0347 1732 Current date / time: 2012/01/20 11:55:36.0347
11:55:36.0347 1732 SystemInfo:
11:55:36.0347 1732
11:55:36.0347 1732 OS Version: 5.1.2600 ServicePack: 3.0
11:55:36.0347 1732 Product type: Workstation
11:55:36.0347 1732 ComputerName: HASSELCOMPUTER
11:55:36.0357 1732 UserName: Administrator
11:55:36.0357 1732 Windows directory: C:\WINDOWS
11:55:36.0357 1732 System windows directory: C:\WINDOWS
11:55:36.0357 1732 Processor architecture: Intel x86
11:55:36.0357 1732 Number of processors: 1
11:55:36.0357 1732 Page size: 0x1000
11:55:36.0357 1732 Boot type: Normal boot
11:55:36.0357 1732 ============================================================
11:55:39.0472 1732 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:55:39.0542 1732 Initialize success
11:55:41.0425 0688 ============================================================
11:55:41.0425 0688 Scan started
11:55:41.0425 0688 Mode: Manual;
11:55:41.0425 0688 ============================================================
11:55:42.0256 0688 Abiosdsk - ok
11:55:42.0276 0688 abp480n5 - ok
11:55:42.0356 0688 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:55:42.0366 0688 ACPI - ok
11:55:42.0566 0688 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:55:42.0576 0688 ACPIEC - ok
11:55:42.0737 0688 adpu160m - ok
11:55:42.0807 0688 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:55:42.0817 0688 aec - ok
11:55:43.0017 0688 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys
11:55:43.0027 0688 AFD - ok
11:55:43.0217 0688 AgereSoftModem (55188b7c84a4c5e73e0680f744c4561d) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
11:55:43.0257 0688 AgereSoftModem - ok
11:55:43.0418 0688 Aha154x - ok
11:55:43.0448 0688 aic78u2 - ok
11:55:43.0478 0688 aic78xx - ok
11:55:43.0518 0688 AliIde - ok
11:55:43.0548 0688 amsint - ok
11:55:43.0628 0688 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:55:43.0638 0688 Arp1394 - ok
11:55:43.0828 0688 asc - ok
11:55:43.0858 0688 asc3350p - ok
11:55:43.0888 0688 asc3550 - ok
11:55:43.0968 0688 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
11:55:43.0968 0688 Aspi32 - ok
11:55:44.0439 0688 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:55:44.0449 0688 AsyncMac - ok
11:55:44.0689 0688 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:55:44.0689 0688 atapi - ok
11:55:44.0860 0688 Atdisk - ok
11:55:44.0930 0688 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:55:44.0940 0688 Atmarpc - ok
11:55:45.0140 0688 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:55:45.0140 0688 audstub - ok
11:55:45.0270 0688 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:55:45.0270 0688 Beep - ok
11:55:45.0410 0688 catchme - ok
11:55:45.0621 0688 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:55:45.0631 0688 cbidf2k - ok
11:55:45.0821 0688 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:55:45.0831 0688 CCDECODE - ok
11:55:45.0991 0688 cd20xrnt - ok
11:55:46.0061 0688 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:55:46.0071 0688 Cdaudio - ok
11:55:46.0282 0688 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:55:46.0282 0688 Cdfs - ok
11:55:46.0492 0688 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:55:46.0492 0688 Cdrom - ok
11:55:46.0662 0688 Changer - ok
11:55:46.0742 0688 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:55:46.0752 0688 CmBatt - ok
11:55:46.0883 0688 CmdIde - ok
11:55:46.0963 0688 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:55:46.0963 0688 Compbatt - ok
11:55:47.0173 0688 Cpqarray - ok
11:55:47.0353 0688 dac2w2k - ok
11:55:47.0443 0688 dac960nt - ok
11:55:47.0533 0688 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
11:55:47.0533 0688 Disk - ok
11:55:47.0714 0688 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:55:47.0754 0688 dmboot - ok
11:55:47.0924 0688 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:55:47.0964 0688 dmio - ok
11:55:48.0154 0688 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:55:48.0154 0688 dmload - ok
11:55:48.0305 0688 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:55:48.0315 0688 DMusic - ok
11:55:48.0465 0688 dpti2o - ok
11:55:48.0555 0688 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:55:48.0565 0688 drmkaud - ok
11:55:48.0785 0688 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
11:55:48.0795 0688 exFat - ok
11:55:49.0026 0688 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:55:49.0026 0688 Fastfat - ok
11:55:49.0216 0688 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
11:55:49.0216 0688 Fdc - ok
11:55:49.0426 0688 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:55:49.0426 0688 Fips - ok
11:55:49.0637 0688 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:55:49.0647 0688 Flpydisk - ok
11:55:49.0727 0688 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:55:49.0727 0688 FltMgr - ok
11:55:49.0947 0688 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:55:49.0947 0688 Fs_Rec - ok
11:55:50.0187 0688 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:55:50.0197 0688 Ftdisk - ok
11:55:50.0388 0688 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:55:50.0388 0688 Gpc - ok
11:55:50.0578 0688 hpn - ok
11:55:50.0668 0688 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
11:55:50.0688 0688 HTTP - ok
11:55:50.0848 0688 i2omgmt - ok
11:55:50.0878 0688 i2omp - ok
11:55:50.0948 0688 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:55:50.0958 0688 i8042prt - ok
11:55:51.0199 0688 ialm (1b49ec451363cbbf8d0549d4fd78072c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:55:51.0199 0688 ialm - ok
11:55:51.0419 0688 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:55:51.0429 0688 Imapi - ok
11:55:51.0599 0688 ini910u - ok
11:55:51.0679 0688 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:55:51.0679 0688 IntelIde - ok
11:55:51.0860 0688 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:55:51.0860 0688 intelppm - ok
11:55:52.0100 0688 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:55:52.0110 0688 Ip6Fw - ok
11:55:52.0320 0688 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:55:52.0320 0688 IpFilterDriver - ok
11:55:52.0521 0688 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:55:52.0531 0688 IpInIp - ok
11:55:52.0661 0688 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:55:52.0671 0688 IpNat - ok
11:55:52.0791 0688 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:55:52.0801 0688 IPSec - ok
11:55:53.0021 0688 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
11:55:53.0031 0688 irda - ok
11:55:53.0162 0688 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:55:53.0162 0688 IRENUM - ok
11:55:53.0282 0688 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:55:53.0292 0688 isapnp - ok
11:55:53.0512 0688 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:55:53.0512 0688 Kbdclass - ok
11:55:53.0592 0688 kl1 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\kl1.sys
11:55:53.0602 0688 kl1 - ok
11:55:53.0883 0688 KLIF (a11c971434468fa05815eec8228d63fd) C:\WINDOWS\system32\DRIVERS\klif.sys
11:55:53.0893 0688 KLIF - ok
11:55:54.0143 0688 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:55:54.0153 0688 kmixer - ok
11:55:54.0373 0688 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
11:55:54.0373 0688 KSecDD - ok
11:55:54.0554 0688 lbrtfdc - ok
11:55:54.0674 0688 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:55:54.0684 0688 mnmdd - ok
11:55:54.0894 0688 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:55:54.0904 0688 Modem - ok
11:55:54.0974 0688 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:55:54.0974 0688 Mouclass - ok
11:55:55.0255 0688 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
11:55:55.0255 0688 MountMgr - ok
11:55:55.0345 0688 mraid35x - ok
11:55:55.0455 0688 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
11:55:55.0455 0688 MREMP50 - ok
11:55:55.0495 0688 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
11:55:55.0495 0688 MRESP50 - ok
11:55:55.0715 0688 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:55:55.0725 0688 MRxDAV - ok
11:55:55.0986 0688 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:55:56.0006 0688 MRxSmb - ok
11:55:56.0246 0688 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:55:56.0246 0688 Msfs - ok
11:55:56.0466 0688 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:55:56.0476 0688 MSKSSRV - ok
11:55:56.0677 0688 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:55:56.0677 0688 MSPCLOCK - ok
11:55:56.0787 0688 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:55:56.0797 0688 MSPQM - ok
11:55:56.0887 0688 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:55:56.0887 0688 mssmbios - ok
11:55:57.0017 0688 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:55:57.0017 0688 MSTEE - ok
11:55:57.0257 0688 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
11:55:57.0267 0688 Mup - ok
11:55:57.0478 0688 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:55:57.0488 0688 NABTSFEC - ok
11:55:57.0738 0688 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:55:57.0748 0688 NDIS - ok
11:55:57.0928 0688 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:55:57.0928 0688 NdisIP - ok
11:55:58.0079 0688 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:55:58.0079 0688 NdisTapi - ok
11:55:58.0159 0688 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:55:58.0169 0688 Ndisuio - ok
11:55:58.0309 0688 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:55:58.0319 0688 NdisWan - ok
11:55:58.0409 0688 NDProxy (816460bd4b4acd27937d1d0813e2e9e9) C:\WINDOWS\system32\drivers\NDProxy.sys
11:55:58.0409 0688 NDProxy - ok
11:55:58.0539 0688 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:55:58.0539 0688 NetBIOS - ok
11:55:58.0669 0688 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:55:58.0680 0688 NetBT - ok
11:55:58.0930 0688 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:55:58.0940 0688 NIC1394 - ok
11:55:59.0130 0688 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:55:59.0140 0688 Npfs - ok
11:55:59.0200 0688 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
11:55:59.0220 0688 Ntfs - ok
11:55:59.0451 0688 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:55:59.0451 0688 Null - ok
11:55:59.0661 0688 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:55:59.0671 0688 NwlnkFlt - ok
11:55:59.0691 0688 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:55:59.0701 0688 NwlnkFwd - ok
11:55:59.0771 0688 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:55:59.0781 0688 ohci1394 - ok
11:56:00.0001 0688 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:56:00.0001 0688 Parport - ok
11:56:00.0202 0688 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:56:00.0212 0688 PartMgr - ok
11:56:00.0332 0688 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:56:00.0342 0688 ParVdm - ok
11:56:00.0582 0688 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:56:00.0582 0688 PCI - ok
11:56:00.0742 0688 PCIDump - ok
11:56:00.0803 0688 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:56:00.0813 0688 PCIIde - ok
11:56:01.0023 0688 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
11:56:01.0033 0688 Pcmcia - ok
11:56:01.0213 0688 PDCOMP - ok
11:56:01.0243 0688 PDFRAME - ok
11:56:01.0273 0688 PDRELI - ok
11:56:01.0303 0688 PDRFRAME - ok
11:56:01.0323 0688 perc2 - ok
11:56:01.0353 0688 perc2hib - ok
11:56:01.0484 0688 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:56:01.0484 0688 PptpMiniport - ok
11:56:01.0694 0688 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
11:56:01.0704 0688 PSched - ok
11:56:01.0814 0688 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:56:01.0814 0688 Ptilink - ok
11:56:01.0924 0688 PxHelp20 (42d4c34300405d9f377e55f5ddadd720) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
11:56:01.0934 0688 PxHelp20 - ok
11:56:02.0054 0688 ql1080 - ok
11:56:02.0104 0688 Ql10wnt - ok
11:56:02.0155 0688 ql12160 - ok
11:56:02.0185 0688 ql1240 - ok
11:56:02.0205 0688 ql1280 - ok
11:56:02.0265 0688 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:56:02.0265 0688 RasAcd - ok
11:56:02.0445 0688 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
11:56:02.0455 0688 Rasirda - ok
11:56:02.0575 0688 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:56:02.0575 0688 Rasl2tp - ok
11:56:02.0675 0688 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:56:02.0675 0688 RasPppoe - ok
11:56:02.0815 0688 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:56:02.0825 0688 Raspti - ok
11:56:02.0956 0688 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:56:02.0966 0688 Rdbss - ok
11:56:03.0186 0688 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:56:03.0196 0688 RDPCDD - ok
11:56:03.0386 0688 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:56:03.0396 0688 rdpdr - ok
11:56:03.0637 0688 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys
11:56:03.0647 0688 RDPWD - ok
11:56:03.0927 0688 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:56:03.0937 0688 redbook - ok
11:56:04.0177 0688 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
11:56:04.0177 0688 RTL8023xp - ok
11:56:04.0428 0688 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:56:04.0438 0688 Secdrv - ok
11:56:04.0668 0688 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:56:04.0668 0688 serenum - ok
11:56:04.0808 0688 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:56:04.0818 0688 Serial - ok
11:56:04.0928 0688 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:56:04.0928 0688 Sfloppy - ok
11:56:05.0219 0688 Si3112 (f459dd5ee69d4b68cb6767c9731b5faf) C:\WINDOWS\system32\drivers\Si3112.sys
11:56:05.0229 0688 Si3112 - ok
11:56:05.0359 0688 Simbad - ok
11:56:05.0459 0688 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:56:05.0459 0688 SLIP - ok
11:56:05.0690 0688 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
11:56:05.0700 0688 SMCIRDA - ok
11:56:05.0860 0688 Sparrow - ok
11:56:05.0930 0688 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:56:05.0940 0688 splitter - ok
11:56:06.0220 0688 sptd (ca9a2690a2b53662565654b48f7ae68f) C:\WINDOWS\System32\Drivers\sptd.sys
11:56:06.0220 0688 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: ca9a2690a2b53662565654b48f7ae68f
11:56:06.0220 0688 sptd ( LockedFile.Multi.Generic ) - warning
11:56:06.0220 0688 sptd - detected LockedFile.Multi.Generic (1)
11:56:06.0401 0688 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:56:06.0421 0688 Sr - ok
11:56:06.0521 0688 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
11:56:06.0531 0688 Srv - ok
11:56:06.0741 0688 STAC97 (94958b68384bb931f571cd35bb65028d) C:\WINDOWS\system32\drivers\STAC97.sys
11:56:06.0761 0688 STAC97 - ok
11:56:06.0991 0688 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:56:06.0991 0688 streamip - ok
11:56:07.0222 0688 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:56:07.0232 0688 swenum - ok
11:56:07.0442 0688 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:56:07.0452 0688 swmidi - ok
11:56:07.0612 0688 symc810 - ok
11:56:07.0642 0688 symc8xx - ok
11:56:07.0672 0688 sym_hi - ok
11:56:07.0702 0688 sym_u3 - ok
11:56:07.0783 0688 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:56:07.0783 0688 sysaudio - ok
11:56:08.0043 0688 Tcpip (474d3dccb57defcd917311eec47204b9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:56:08.0063 0688 Tcpip - ok
11:56:08.0263 0688 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:56:08.0273 0688 TDPIPE - ok
11:56:08.0373 0688 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
11:56:08.0383 0688 TDTCP - ok
11:56:08.0474 0688 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:56:08.0484 0688 TermDD - ok
11:56:08.0604 0688 TosIde - ok
11:56:08.0684 0688 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:56:08.0684 0688 Udfs - ok
11:56:08.0754 0688 ultra - ok
11:56:09.0034 0688 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:56:09.0064 0688 Update - ok
11:56:09.0265 0688 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:56:09.0265 0688 usbccgp - ok
11:56:09.0495 0688 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:56:09.0495 0688 usbehci - ok
11:56:09.0675 0688 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:56:09.0675 0688 usbhub - ok
11:56:09.0775 0688 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:56:09.0785 0688 usbscan - ok
11:56:09.0996 0688 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:56:09.0996 0688 USBSTOR - ok
11:56:10.0206 0688 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:56:10.0216 0688 usbuhci - ok
11:56:10.0426 0688 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
11:56:10.0436 0688 usbvideo - ok
11:56:10.0637 0688 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:56:10.0647 0688 VgaSave - ok
11:56:10.0817 0688 ViaIde - ok
11:56:10.0887 0688 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:56:10.0897 0688 VolSnap - ok
11:56:11.0127 0688 vsdatant (1045d05bbd5170565927d7653346c961) C:\WINDOWS\system32\vsdatant.sys
11:56:11.0228 0688 vsdatant - ok
11:56:11.0488 0688 w70n51 (8e5cf571c00c806ed7c08dbb74356646) C:\WINDOWS\system32\DRIVERS\w70n51.sys
11:56:11.0518 0688 w70n51 - ok
11:56:11.0718 0688 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:56:11.0718 0688 Wanarp - ok
11:56:11.0889 0688 WDICA - ok
11:56:11.0969 0688 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:56:11.0979 0688 wdmaud - ok
11:56:12.0289 0688 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:56:12.0289 0688 WS2IFSL - ok
11:56:12.0499 0688 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:56:12.0509 0688 WSTCODEC - ok
11:56:12.0720 0688 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:56:12.0730 0688 WudfPf - ok
11:56:12.0910 0688 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:56:12.0920 0688 WudfRd - ok
11:56:13.0020 0688 {6080A529-897E-4629-A488-ABA0C29B635E} (a7ab6e6fcb5d9276160d9998593638e3) C:\WINDOWS\system32\drivers\ialmsbw.sys
11:56:13.0030 0688 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
11:56:13.0270 0688 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d9c1c60a4e414052e30dbb2800f0893a) C:\WINDOWS\system32\drivers\ialmkchw.sys
11:56:13.0281 0688 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
11:56:13.0321 0688 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:56:13.0551 0688 \Device\Harddisk0\DR0 - ok
11:56:13.0581 0688 Boot (0x1200) (ca4c82ff5ce81bf5e3b095fdd0b5f4fa) \Device\Harddisk0\DR0\Partition0
11:56:13.0581 0688 \Device\Harddisk0\DR0\Partition0 - ok
11:56:13.0591 0688 ============================================================
11:56:13.0591 0688 Scan finished
11:56:13.0591 0688 ============================================================
11:56:13.0621 2400 Detected object count: 1
11:56:13.0621 2400 Actual detected object count: 1
11:56:15.0934 2400 sptd ( LockedFile.Multi.Generic ) - skipped by user
11:56:15.0934 2400 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
11:56:29.0083 1388 Deinitialize success

Was the VirusTotal scan report what you wanted? The site did not make clear what to send.

Well, thats not the entire Virus Total report, go ahead and rerun that file through Jotti

http://virusscan.jotti.org/en
C:\WINDOWS\system32\drivers\tcpip.sys


Logs look ok, how is your system behaving now ?

2012-01-20 Found nothing 2012-01-19 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-19 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-19 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing
2012-01-20 Found nothing 2012-01-19 Found nothing
2012-01-20 Found nothing 2012-01-20 Found nothing


Says nothing found out of 20 scanners.

The computer seems to be running normal, shut down and reboot created no problems or warnings.

Great, that may have been a false positive on the Combofix log, but it dont hurt to check.



Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.


Malwarebytes is the free version and yours to keep and will not be removed



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

Ken you have been a great help and very patient but I have to admit that I don't know what OTL is. Where is it?

My bad :oops:

Between this forum and all the other ones I am active on I have over 20 threads going, I thought we used this tool in the cleaning of your system but we did not, no biggie you can use this one in lew of OTL

Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Ok great thanks, I know you are a busy man and working multiple problems all at one time. Once again thank you very much for the help you guys are the best. Hope my donation covers some of the costs. Even with all the problems I like PC's used to be a MAC guy but there's no challenge in that :red: Besides I have programs I need than only run on PC and putting windows on a MAC is like putting a dress on a pig. Ha ha.

Again thanks million :thanks:

Your very welcome :)

You take care now

Ken

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.