My system starting acting up a little less than a week ago. Windows loads fine but is extremely slow. Wouldn't let me into Safe Mode (starts loading, shows sys files as they're loading, then very quick BSOD and reboot automatically). I ran MalwareBytes and it found:
Registry Values Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http=127.0.0.1:5555 -> Quarantined and deleted successfully.
but system was still very slow. I wondered if it was a driver so I disabled USB, WLAN and Audio in BIOS. Seemed to work fine then. As soon as I reenable WLAN it starts acting up again.
Fairly certain it is malware in Windows - I dual boot with Ubuntu and everything works fine on that side.
I followed directions in "BEFORE you POST" thread and here are the logs...
dds.txt:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.17115 BrowserJavaVersion: 10.7.2
Run by Art at 12:23:20 on 2013-02-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1508 [GMT -6:00]
.
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW: *Enabled*
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Art\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\chrome_frame_helper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Novatel Wireless\LTE Support\VZWMSConfig.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://portal.associatedbank.com/+CSCOE+/logon.html
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\art\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ChromeFrameHelper] "c:\documents and settings\art\local settings\application data\google\chrome\application\24.0.1312.57\chrome_frame_helper.exe" --startup
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IJNetworkScannerSelectorEX] c:\program files\canon\ij network scanner selector ex\CNMNSST.exe /FORCE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\everno~1.lnk - c:\windows\installer\{f761359c-9ced-45ae-9a51-9d6605cd55c4}\Evernote.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239106328781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341116613750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
TCP: Interfaces\{9DAD4457-4E0D-4CED-97FB-75F1474808F9} : NameServer = 8.8.8.8,8.8.4.4
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\documents and settings\art\local settings\application data\google\chrome\application\24.0.1312.57\npchrome_frame.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2012-12-21 622616]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2012-12-22 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2012-12-22 40648]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-12-15 242240]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2012-12-22 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2012-12-22 185032]
R1 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [2012-12-21 162976]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-11-19 527408]
R2 EaseUS Agent;EaseUS Agent Service;c:\program files\easeus\todo backup\bin\Agent.exe [2012-12-27 69192]
R2 Guard Agent;Guard Agent Service;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2012-12-27 23624]
R2 gzserv;Bitdefender Antivirus Free Edition;c:\program files\bitdefender\antivirus free edition\gzserv.exe [2012-12-21 26776]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-2-6 13672]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-11-2 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-11-2 497320]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-4-8 10384]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R2 VZWConfigService;VZW Config Service;c:\program files\novatel wireless\lte support\VZWMSConfig.exe [2012-4-16 218160]
R3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2012-12-21 447208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-2-11 168384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2013-1-4 1174976]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-8-13 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-8-13 8456]
S3 NWRmNet_001;Novatel Wireless Verizon RmNet Network Adapter;c:\windows\system32\drivers\NWRmNet_001.sys [2012-5-3 296448]
S3 NWUSBModem_001;Novatel Wireless Verizon USB Modem Driver;c:\windows\system32\drivers\nwusbmdm_001.sys [2012-5-3 176384]
S3 NWUSBPort_001;Novatel Wireless Verizon USB Status Port Driver;c:\windows\system32\drivers\nwusbser_001.sys [2012-5-3 176384]
S3 NWUSBPort2_001;Novatel Wireless Verizon USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2_001.sys [2012-5-3 176384]
S3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-2-11 1103392]
S3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-2-11 1369624]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2011-11-29 32408]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2012-1-10 23608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2012-1-10 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2012-1-10 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2012-1-10 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2012-1-10 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2012-1-10 25704]
S3 wsvad_driver;iEffectsoft Audio;c:\windows\system32\drivers\CapAudio.sys [2012-9-9 20480]
.
=============== File Associations ===============
.
ShellExec: FOXITR~1.EXE: print="c:\progra~1\foxits~1\foxitr~1\FOXITR~1.EXE"/p "%1"
ShellExec: FOXITR~1.EXE: printto="c:\progra~1\foxits~1\foxitr~1\FOXITR~1.EXE"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2013-02-12 01:02:27 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-11 23:37:07 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-02-11 23:36:48 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-02-11 23:36:39 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-02-11 03:28:12 343456 ----a-w- c:\windows\system32\drivers\trufos.sys
2013-02-11 03:28:11 0 ----a-w- c:\windows\system32\drivers\avchv.sys
2013-02-11 03:02:29 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2013-02-11 03:02:23 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2013-02-11 03:02:22 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2013-02-11 03:02:16 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2013-02-11 03:02:10 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2013-02-11 03:02:01 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2013-02-11 03:01:54 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2013-02-11 03:01:52 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2013-02-11 03:01:47 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2013-02-11 03:01:45 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2013-02-11 03:01:20 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2013-02-11 03:01:16 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2013-02-11 03:01:11 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2013-02-11 02:59:54 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys
2013-02-11 02:59:49 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2013-02-11 02:59:42 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2013-02-11 02:59:35 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
2013-02-11 02:59:29 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2013-02-11 02:59:23 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2013-02-11 02:59:17 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2013-02-11 02:59:15 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2013-02-11 02:59:15 42240 -c--a-w- c:\windows\system32\dllcache\viaagp.sys
2013-02-11 02:59:10 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2013-02-11 02:59:04 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2013-02-11 02:57:56 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2013-02-11 02:57:50 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2013-02-11 02:57:45 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2013-02-11 02:57:40 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2013-02-11 02:57:34 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2013-02-11 02:57:29 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2013-02-11 02:57:23 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2013-02-11 02:57:18 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2013-02-11 02:57:12 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2013-02-11 02:57:06 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2013-02-11 02:57:03 44672 -c--a-w- c:\windows\system32\dllcache\uagp35.sys
2013-02-11 02:56:58 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2013-02-11 02:56:48 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2013-02-11 02:56:43 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2013-02-11 02:56:37 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys
2013-02-11 02:56:32 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2013-02-11 02:56:26 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys
2013-02-11 02:56:21 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2013-02-11 02:56:15 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2013-02-11 02:56:09 42496 -c--a-w- c:\windows\system32\dllcache\tp4res.dll
2013-02-11 02:56:08 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2013-02-11 02:56:02 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2013-02-11 02:55:52 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2013-02-11 02:55:47 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2013-02-11 02:55:41 241664 -c--a-w- c:\windows\system32\dllcache\tosdvd02.sys
2013-02-11 02:55:36 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys
2013-02-11 02:55:30 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2013-02-11 02:55:23 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2013-02-11 02:55:17 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2013-02-11 02:55:15 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2013-02-11 02:55:08 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2013-02-11 02:55:03 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2013-02-11 02:54:54 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2013-02-11 02:54:47 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2013-02-11 02:54:42 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2013-02-11 02:54:37 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2013-02-11 02:54:27 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2013-02-11 02:54:22 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2013-02-11 02:54:17 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2013-02-11 02:54:12 28384 -c--a-w- c:\windows\system32\dllcache\sym_hi.sys
2013-02-11 02:54:06 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2013-02-11 02:54:01 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2013-02-11 02:53:56 3968 -c--a-w- c:\windows\system32\dllcache\swusbflt.sys
2013-02-11 02:53:51 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2013-02-11 02:53:46 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2013-02-11 02:53:41 53760 -c--a-w- c:\windows\system32\dllcache\sw_wheel.dll
2013-02-11 02:53:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2013-02-11 02:53:29 155648 -c--a-w- c:\windows\system32\dllcache\stlnprop.dll
2013-02-11 02:53:24 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2013-02-11 02:53:19 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2013-02-11 02:53:13 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2013-02-11 02:53:04 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2013-02-11 02:52:58 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2013-02-11 02:52:49 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2013-02-11 02:52:41 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2013-02-11 02:52:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2013-02-11 02:52:31 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2013-02-11 02:52:25 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2013-02-11 02:52:20 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2013-02-11 02:52:15 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2013-02-11 02:52:10 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2013-02-11 02:52:05 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2013-02-11 02:52:04 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2013-02-11 02:51:58 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2013-02-11 02:51:45 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2013-02-11 02:51:39 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2013-02-11 02:51:33 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2013-02-11 02:51:28 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2013-02-11 02:51:23 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys
2013-02-11 02:51:17 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2013-02-11 02:51:16 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2013-02-11 02:51:15 5888 -c--a-w- c:\windows\system32\dllcache\smbali.sys
2013-02-11 02:51:15 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys
2013-02-11 02:51:09 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2013-02-11 02:51:04 33792 -c--a-w- c:\windows\system32\dllcache\smb0w.dll
2013-02-11 02:49:55 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2013-02-11 02:49:50 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2013-02-11 02:49:45 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2013-02-11 02:49:43 3901 -c--a-w- c:\windows\system32\dllcache\siint5.dll
2013-02-11 02:49:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2013-02-11 02:49:25 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2013-02-11 02:49:20 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2013-02-11 02:49:15 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2013-02-11 02:49:10 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2013-02-11 02:49:02 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2013-02-11 02:48:56 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2013-02-11 02:48:49 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2013-02-11 02:48:48 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2013-02-11 02:48:42 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2013-02-11 02:48:36 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2013-02-11 02:48:31 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2013-02-11 02:48:25 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2013-02-11 02:48:20 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2013-02-11 02:48:18 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2013-02-11 02:48:13 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2013-02-11 02:48:06 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2013-02-11 02:48:01 245632 -c--a-w- c:\windows\system32\dllcache\s3savmx.dll
2013-02-11 02:46:59 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2013-02-11 02:46:58 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2013-02-11 02:46:54 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2013-02-11 02:46:50 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2013-02-11 02:46:45 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2013-02-11 02:46:38 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2013-02-11 02:46:32 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2013-02-11 02:46:29 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2013-02-11 02:46:28 30592 -c--a-w- c:\windows\system32\dllcache\rndismpx.sys
2013-02-11 02:46:22 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2013-02-11 02:46:20 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2013-02-11 02:46:15 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2013-02-11 02:46:08 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2013-02-11 02:45:58 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2013-02-11 02:45:50 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2013-02-11 02:45:45 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2013-02-11 02:45:39 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2013-02-11 02:45:34 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2013-02-11 02:45:26 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2013-02-11 02:45:21 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys
2013-02-11 02:45:17 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys
2013-02-11 02:45:12 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys
2013-02-11 02:45:07 40320 -c--a-w- c:\windows\system32\dllcache\ql1080.sys
2013-02-11 02:45:06 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys
2013-02-11 02:43:57 92416 -c--a-w- c:\windows\system32\dllcache\phildec.sys
2013-02-11 02:42:59 26153 -c--a-w- c:\windows\system32\dllcache\pcmlm56.sys
2013-02-11 02:42:57 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys
2013-02-11 02:42:53 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2013-02-11 02:42:43 41984 -c--a-w- c:\windows\system32\dllcache\ovui2rc.dll
2013-02-11 02:42:39 44544 -c--a-w- c:\windows\system32\dllcache\ovui2.dll
2013-02-11 02:42:34 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys
2013-02-11 02:42:30 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2013-02-11 02:42:25 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2013-02-11 02:42:21 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2013-02-11 02:42:16 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2013-02-11 02:42:11 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2013-02-11 02:42:07 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2013-02-11 02:42:02 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2013-02-11 02:41:58 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2013-02-11 02:41:53 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2013-02-11 02:41:49 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2013-02-11 02:41:44 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2013-02-11 02:41:38 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2013-02-11 02:41:33 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2013-02-11 02:41:28 1897408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2013-02-11 02:41:27 4274816 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2013-02-11 02:41:23 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2013-02-11 02:41:18 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2013-02-11 02:41:14 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2013-02-11 02:41:05 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2013-02-11 02:40:58 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2013-02-11 02:40:54 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2013-02-11 02:40:52 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2013-02-11 02:40:43 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2013-02-11 02:40:38 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2013-02-11 02:40:32 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2013-02-11 02:40:30 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2013-02-11 02:40:21 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2013-02-11 02:40:14 39264 -c--a-w- c:\windows\system32\dllcache\neo20xx.sys
2013-02-11 02:40:10 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2013-02-11 02:40:05 15872 -c--a-w- c:\windows\system32\dllcache\ne2000.sys
2013-02-11 02:38:57 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2013-02-11 02:38:56 452736 -c--a-w- c:\windows\system32\dllcache\mtxparhm.sys
2013-02-11 02:38:55 1737856 -c--a-w- c:\windows\system32\dllcache\mtxparhd.dll
2013-02-11 02:38:53 119808 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe
2013-02-11 02:38:51 1309184 -c--a-w- c:\windows\system32\dllcache\mtlstrm.sys
2013-02-11 02:38:50 126686 -c--a-w- c:\windows\system32\dllcache\mtlmnt5.sys
2013-02-11 02:38:39 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2013-02-11 02:38:31 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2013-02-11 02:38:20 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2013-02-11 02:38:18 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2013-02-11 02:38:03 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2013-02-11 02:37:58 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2013-02-11 02:37:55 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2013-02-11 02:37:43 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2013-02-11 02:37:40 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2013-02-11 02:37:32 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2013-02-11 02:37:20 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2013-02-11 02:37:12 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2013-02-11 02:37:08 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2013-02-11 02:37:06 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2013-02-11 02:37:02 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2013-02-11 02:35:59 4992 -c--a-w- c:\windows\system32\dllcache\loop.sys
2013-02-11 02:35:52 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2013-02-11 02:35:48 20573 -c--a-w- c:\windows\system32\dllcache\lne100.sys
2013-02-11 02:35:43 25065 -c--a-w- c:\windows\system32\dllcache\lmndis3.sys
2013-02-11 02:35:38 15744 -c--a-w- c:\windows\system32\dllcache\lit220p.sys
2013-02-11 02:35:35 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2013-02-11 02:35:31 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2013-02-11 02:35:26 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2013-02-11 02:35:20 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2013-02-11 02:35:17 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2013-02-11 02:35:15 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2013-02-11 02:35:02 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2013-02-11 02:34:47 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2013-02-11 02:34:43 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2013-02-11 02:34:42 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2013-02-11 02:34:38 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2013-02-11 02:34:38 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2013-02-11 02:34:36 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2013-02-11 02:34:26 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2013-02-11 02:34:22 90200 -c--a-w- c:\windows\system32\dllcache\io8ports.dll
2013-02-11 02:34:18 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2013-02-11 02:34:16 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys
2013-02-11 02:34:12 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys
2013-02-11 02:34:08 16000 -c--a-w- c:\windows\system32\dllcache\ini910u.sys
2013-02-11 02:32:57 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2013-02-11 02:31:56 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2013-02-11 02:30:57 126976 -c--a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2013-02-11 02:29:59 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys
2013-02-11 02:28:53 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2013-02-11 02:27:59 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys
2013-02-11 02:26:58 26141 -c--a-w- c:\windows\system32\dllcache\el589nd5.sys
2013-02-11 02:25:59 6216 -c--a-w- c:\windows\system32\dllcache\divaci.dll
2013-02-11 02:24:58 63208 -c--a-w- c:\windows\system32\dllcache\dc21x4.sys
2013-02-11 02:23:56 39936 -c--a-w- c:\windows\system32\dllcache\cnxt1803.sys
2013-02-11 02:22:36 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2013-02-11 02:21:59 37568 -c--a-w- c:\windows\system32\dllcache\avmwan.sys
2013-02-11 02:20:59 11615 -c--a-w- c:\windows\system32\dllcache\ati1mdxx.sys
2013-02-11 02:19:21 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2013-01-18 04:33:47 -------- d-----w- c:\program files\iPod
2013-01-18 04:33:40 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-01-18 04:33:39 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-12-22 01:56:45 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-12-22 01:56:45 1060864 ----a-w- c:\windows\system32\mfc71.dll
2012-12-22 01:48:04 184026 ----a-w- c:\documents and settings\all users\application data\1356140426.bdinstall.bin
2012-12-22 01:38:22 419 ----a-w- c:\documents and settings\all users\application data\1356140286.404.bin
2012-12-22 01:38:22 26757 ----a-w- c:\documents and settings\all users\application data\1356140286.3092.bin
2012-12-22 01:38:13 2040 ----a-w- c:\documents and settings\all users\application data\1356140286.4036.bin
2012-12-22 01:36:53 28096 ----a-w- c:\documents and settings\all users\application data\1356140133.bdinstall.bin
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 03:30:15 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-16 03:30:14 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 02:03:00 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Harddisk0\DR0[0x8AA46AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\00000073[0x8AA26230]
5 ACPI[0xB9F02620] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8AA24940]
kernel: MBR read successfully
_asm { JMP 0x65; }
user != kernel MBR !!!
.
============= FINISH: 12:31:50.96 ===============

Attach.txt attached as a zip.

aswMBR.txt:
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-02-16 13:31:46
-----------------------------
13:31:46.296 OS Version: Windows 5.1.2600 Service Pack 3
13:31:46.296 Number of processors: 2 586 0x1C02
13:31:46.296 ComputerName: NETBOOK UserName: Art
13:33:49.187 Initialize success
13:35:16.421 AVAST engine download error: 0
13:35:52.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:35:52.671 Disk 0 Vendor: Size: 0MB BusType: 0
13:35:52.718 Disk 0 MBR read successfully
13:35:52.718 Disk 0 MBR scan
13:35:52.734 Disk 0 unknown MBR code
13:35:52.750 Disk 0 MBR hidden
13:35:52.765 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 41731 MB offset 63
13:35:52.765 Disk 0 Partition - 00 05 Extended 4768 MB offset 85467134
13:35:52.796 Disk 0 Partition 2 00 83 Linux 106127 MB offset 95232000
13:35:52.843 Disk 0 Partition 3 00 82 Linux swap 4768 MB offset 85467136
13:35:52.953 Disk 0 scanning C:\WINDOWS\system32\drivers
13:37:07.046 Service scanning
13:37:08.875 Service bdftdif C:\Program Files\Bitdefender\Antivirus Free Edition\bdftdif.sys **LOCKED** 5
13:37:08.968 Service bdselfpr C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys **LOCKED** 5
13:37:23.515 Modules scanning
13:37:45.562 Disk 0 trace - called modules:
13:37:45.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:37:45.656 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa41ab8]
13:37:45.687 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000073[0x8aa439e8]
13:37:45.718 5 ACPI.sys[b9f02620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8aa39940]
13:37:45.750 Scan finished successfully
13:38:16.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Art\Desktop\MBR.dat"
13:38:16.265 The log file has been saved successfully to "C:\Documents and Settings\Art\Desktop\aswMBR.txt"

Note that aswMBR asked to allow the use of the AVAST Engine and I chose to allow but the program was unable to download (I think the malware is preventing internet access -- I downloaded the tools that created these logs with Ubuntu and copied to WIN using flash drive).

I could not get Spybot to copy results using a right click, so I have attached a zip of those results as well.

Thank you in advance for any help!

Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

I'm subscribed and appreciate your help. :thanks:

Hello cubfan :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Check for additional security risks

Please download CKScanner© by askey127 and save to your desktop. Click here. (http://downloads.malwareremoval.com/CKScanner.exe)
Double click on CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
Post the contents of ckfiles.txt in your reply, it is located on your desktop.
Please run the program only once.

--------------------

Validate Windows

Please download MGADiag.exe from Microsoft and save it to a convenient location. Click here. (http://go.microsoft.com/fwlink/?linkid=52012)
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

--------------------

Please post back:
1. CKScanner log
2. MGADiag result

This is the result from CKScanner:
CKScanner 2.1 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.PUCPJO
----- EOF -----

MGADiag:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-BFDCC-3BMCY-QGWPD
Windows Product Key Hash: 8dFTlxbCDMH7eCGI/GjBzGT53UI=
Windows Product ID: 76477-OEM-2111907-00109
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {14539B45-4572-450C-AC1A-BE60D0BD10F2}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.8.31.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.8.31.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE; Win32)
Default Browser: C:\Documents and Settings\Art\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Allowed
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{14539B45-4572-450C-AC1A-BE60D0BD10F2}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QGWPD</PKey><PID>76477-OEM-2111907-00109</PID><PIDType>2</PIDType><SID>S-1-5-21-247292582-3794261224-3473990468</SID><SYSTEM><Manufacturer>ASUSTeK Computer INC.</Manufacturer><Model>1000HE</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0902 </Version><SMBIOSVersion major="2" minor="5"/><Date>20090624000000.000000+000</Date><SLPBIOS>ASUSTeK Pegasus,ASUS_FLASH,ASUS_FLASH</SLPBIOS></BIOS><HWID>A1513C970184C075</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>ASUS</name><model>EeePC</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.8.31.0"/><File Name="WgaLogon.dll" Version="1.8.31.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>810E476F69C16D6</Val><Hash>pMTj011kCo0ufMrKl9VcAAeypno=</Hash><Pid>81599-875-0731395-65771</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1E840:ASUSTeK Computer Inc|15020:ASUSTeK Computer Inc|16760:GENUINE C&C INC
Marker string from OEMBIOS.DAT: ASUSTeK Pegasus,ASUS_FLASH,ASUS_FLASH

OEM Activation 2.0 Data-->
N/A

Hello cubfan :),

A couple of questions before we move on.

Is this a work computer or are you accessing your work online through this computer?

How many times did you run CKScanner?

It is my personal computer but I do sometimes access my work desktop.

CKScanner I unfortunately ran 3 times. First two couldn't find where the text file was saved (USB drive vs. desktop) and didn't notice the instruction to only run once until it was too late. I copied the program to the desktop hoping that would somehow reset it but judging by your question it did not. :sad:

Hello cubfan :),

Please read these:
Ransomware risk heightened with BYOD (http://www.zdnet.com/ransomware-risk-heightened-with-byod-7000005673/)

With the rise of ransomware in the recent quarter, enterprises are increasingly at risk when end-users circumvent corporate policies, especially on personal devices.


Personal computers (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

I suggest you reformat your computer, reinstall windows and inform your organization's IT department that you have access the network with an infected computer.

I can't reinstall Windows (no recovery partition) but I do understand the stance regarding computers that may have company information on them. I knew the forum was for personal computers only but hadn't considered the potential issues that accessing a remote desktop might create.

Regardless thank you for your help. This forum provides a great service!!

:)

Hello cubfan :),

You are welcome. It's worth considering purchasing new disks with Windows 7 or higher.

As we reach a point where we could not proceed further and you need to seek help from alternative sources / reformat the computer, this topic is now closed.

We are glad to be of help up to this point. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)