Malware Issue

[rustygun01]

I'd like to thank the people in these forums as they are a great help and their help is much appreciated.

To start, I opened a thread in the wrong area without reading what I was suppose to read and I appoligize. Here's the link:
http://forums.spybot.info/showthread.php?t=60375

On a side note, I did not run combofix nor could I. I also couldn't attach the Attach file as a .rar and I'm not experienced enough to figure out why I can't zip it...

DDS (Ver_10-11-10.01) - NTFSx86
Run by rusty at 17:04:50.67 on Thu 11/11/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1942 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Users\rusty\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\rusty\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TCP: NameServer = 93.188.164.128,93.188.160.208
TCP: {979D4F56-CD33-4913-823C-4FFDC412C0AF} = 93.188.164.128,93.188.160.208
TCP: {D1B63795-7986-47A5-961C-D7B144828249} = 93.188.164.128,93.188.160.208
mASetup: {V670L004-RPP3-12V8-16X0-R5Y0A86REOES} - c:\users\rusty\appdata\roaming\server\server.exe Restart
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-4-1 21504]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-10-1 20328]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-9-2 33792]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-24 870400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-1 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-11 20:53:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-11 20:53:30 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-11 20:53:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-11 20:53:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:38:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-08 12:46:04 -------- d-----w- c:\progra~2\Alwil Software
2010-11-07 21:13:48 15256 ----a-w- c:\users\rusty\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-07 20:55:04 -------- d-----w- c:\progra~2\SmartSound Software Inc
2010-11-07 20:55:03 -------- d-----w- c:\program files\SmartSound Software
2010-11-06 21:40:50 -------- d-----w- c:\progra~2\Tunngle
2010-11-06 21:40:40 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30:34 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41:24 -------- d-----w- c:\users\rusty\appdata\local\Minecraft_Tools_Team
2010-11-02 14:38:24 -------- d-----w- c:\users\rusty\appdata\roaming\mts
2010-11-02 05:51:01 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1a5465b8-ff88-4bd9-acd8-42e36f680278}\mpengine.dll
2010-10-31 23:20:11 -------- d-----w- c:\windows\system32\world
2010-10-27 23:39:45 -------- d-----w- c:\users\rusty\appdata\roaming\.minecraft
2010-10-26 18:26:47 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 18:26:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-26 18:26:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5CA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85A0EEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86184872; SUB DWORD [EBP-0x4], 0x8618412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82296962] -> \Device\Harddisk0\DR0[0x85BBF620]
3 CLASSPNP[0x8B5A88B3] -> ntkrnlpa!IofCallDriver[0x82296962] -> [0x85AFA658]
5 acpi[0x807396BC] -> ntkrnlpa!IofCallDriver[0x82296962] -> [0x85ADF5E0]
[0x868354F8] -> IRP_MJ_CREATE -> 0x85A0EEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA5CA#5&2e153c89&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85A0EAEA
\Driver\atapi -> 0x858e21f8
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:06:15.87 ===============

[Jack&Jill]

Hello rustygun01 ,

Sorry for the delay.

If you still need help, please delete the DDS file that you have and download a fresh copy from one of the links below. Please post new DDS logs.

Link 1
Link 2
Link 3

Otherwise, this topic will be closed after 3 days.

[rustygun01]

No worries Jack&Jill. I appreciate the help and time wasn't a concern for me.

Here's the updated DDS file:


DDS (Ver_10-11-10.01) - NTFSx86
Run by rusty at 0:52:46.09 on Fri 11/19/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2156 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\taskeng.exe
C:\Users\rusty\Downloads\dds(2).scr
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
StartupFolder: c:\users\rusty\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TCP: NameServer = 93.188.164.128,93.188.160.208
TCP: {979D4F56-CD33-4913-823C-4FFDC412C0AF} = 93.188.164.128,93.188.160.208
TCP: {D1B63795-7986-47A5-961C-D7B144828249} = 93.188.164.128,93.188.160.208
mASetup: {V670L004-RPP3-12V8-16X0-R5Y0A86REOES} - c:\users\rusty\appdata\roaming\server\server.exe Restart
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-4-1 21504]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-10-1 20328]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-9-2 33792]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-24 870400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-1 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-11 20:53:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-11 20:53:30 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-11 20:53:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-11 20:53:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:38:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-08 12:46:04 -------- d-----w- c:\progra~2\Alwil Software
2010-11-07 21:13:48 15256 ----a-w- c:\users\rusty\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-07 20:55:04 -------- d-----w- c:\progra~2\SmartSound Software Inc
2010-11-07 20:55:03 -------- d-----w- c:\program files\SmartSound Software
2010-11-06 21:40:50 -------- d-----w- c:\progra~2\Tunngle
2010-11-06 21:40:40 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30:34 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41:24 -------- d-----w- c:\users\rusty\appdata\local\Minecraft_Tools_Team
2010-11-02 14:38:24 -------- d-----w- c:\users\rusty\appdata\roaming\mts
2010-11-02 05:51:01 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1a5465b8-ff88-4bd9-acd8-42e36f680278}\mpengine.dll
2010-10-31 23:20:11 -------- d-----w- c:\windows\system32\world
2010-10-27 23:39:45 -------- d-----w- c:\users\rusty\appdata\roaming\.minecraft
2010-10-26 18:26:47 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 18:26:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-26 18:26:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5CA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85A0DEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86184872; SUB DWORD [EBP-0x4], 0x8618412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x8227A962] -> \Device\Harddisk0\DR0[0x85BBF360]
3 CLASSPNP[0x8B7A68B3] -> ntkrnlpa!IofCallDriver[0x8227A962] -> [0x85AF5918]
5 acpi[0x8AF3F6BC] -> ntkrnlpa!IofCallDriver[0x8227A962] -> [0x85AE9030]
[0x86854A00] -> IRP_MJ_CREATE -> 0x85A0DEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA5CA#5&2e153c89&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85A0DAEA
\Driver\atapi -> 0x858e21f8
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 0:58:31.76 ===============

[Jack&Jill]

Hello rustygun01 ,

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

• Please observe and follow these Forum Rules.
• Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
• Please read the instructions carefully and follow them closely, in the order they are presented to you.
• If you have any doubts or problems during the fix, please stop and ask.
• All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
• Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
• Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
• Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
• If you do not reply within 3 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly . We may begin.

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

What do you use the computer for?

--------------------

Remove P2P software

• IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
  
  µTorrent
  LimeWire PRO 5.4.6
  
  
• Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
• Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
• Go to Control Panel > Add/Remove Programs and uninstall the P2P program(s) listed above (in red).
• Please remove them before we continue with fixing your computer.

--------------------

I see that you have some programs that are not recommended or not safe on board your computer. You may uninstall them through Add/Remove Programs at the Control Panel.

PunkBuster

PunkBuster is a gaming tool that uses spyware techniques and can take over your computer. It is not likely that your computer could be cleaned without breaking or removing it, and this would result in not being able to play the associated games or worse.

Since PunkBuster is malware/spyware by our definition, you will need to choose one of the following:
1. Leave PunkBuster alone and continue cleaning malware, but understand that there is no assurance you will be able to do games afterwards.
2. Remove PunkBuster and continue cleaning.
3. Leave PunkBuster alone and stop cleaning.

See here for more information.

If you choose to uninstall PunkBuster

• Please download the PBSVC setup program and save it to your desktop. Click here.
• Double click on pbsvc.exe and click Uninstall.
• Open Windows Explorer and navigate to C:\windows\system32\drivers.
• Find files with PnkBstr in the name and delete them.
• Repeat delete files step in folder C:\windows\system32.

--------------------

Validate Windows

• Please download MGADiag.exe from Microsoft and save it to a convenient location. Click here.
• Double click on MGADiag.exe to run it.
• Click Continue.
• The program will run. It takes a while to finish the diagnosis, please be patient.
• Once done, click on Copy.
• Open Notepad and paste the contents in. Save this file and post it in your next reply.

--------------------

Check for additional security risks

• Please download CKScanner© by askey127 and save to your desktop. Click here.
• Double click on CKScanner.exe and click Search For Files.
• After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
• Post the contents of ckfiles.txt in your reply, it is located on your desktop.

--------------------

Please post back:
1. the answer to my question about your computer
2. MGADiag result
3. CKScanner log
4. new DDS log (Attach.txt only)

[rustygun01]

Thanks again Jack&Jill. To start off, I ended up getting MGAD from MegaUpload.com because the link you gave me wasn't working for me. Anyways, I hope that I answer all of your questions thoroughly.

1. What do I use my computer for?
I use my computer to do online school work, to play video games, and watch animes. In short, I use my computer for school and entertainment.

2. MGADDiag Result
Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: 0x0
Cached Validation Code: 0x0
Windows Product Key: *****-*****-44V4P-2GQFR-MFQDR
Windows Product Key Hash: y0/thimbRcU8fUGzOd0S+qX2wUw=
Windows Product ID: 89578-OEM-7359623-29556
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.0.6002.2.00010300.2.0.003
CSVLK Server: N/A
CSVLK PID: N/A
ID: {5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.100608-0458
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}</UGUID><Version>1.7.0069.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MFQDR</PKey><PID>89578-OEM-7359623-29556</PID><PIDType>3</PIDType><SID>S-1-5-21-2005747108-265105218-770747461</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>1101 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081226000000.000000+000</Date></BIOS><HWID>3F333507018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>US Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65321</Pid><PidType>14</PidType></Product></Products></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

3. CKScanner Log
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\alaplaya\loco\animations\devilcrack.ukx
c:\program files\alaplaya\loco\animations\naturecrack.ukx
c:\program files\alaplaya\loco\animations\set1devilpropcrack.ukx
c:\program files\alaplaya\loco\animations\set1naturepropcrack.ukx
c:\program files\alaplaya\loco\animations\set1otherpropcrack.ukx
c:\program files\alaplaya\loco\animations\set2otherpropcrack.ukx
c:\program files\bethesda softworks\morrowind\data files\icons\i_pf_crackhammer.tga
c:\program files\bethesda softworks\morrowind\data files\meshes\weapons\pf_crackhammer.nif
c:\program files\bethesda softworks\morrowind\data files\textures\pf_crackhammer.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_crackedplaster00.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth01.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth03.dds
hosts 127.0.0.1 practivate.adobe.com
scanner sequence 3.ZZ.11
----- EOF -----

4. New DDS Log (attach only)
Attached!

[Jack&Jill]

Hello rustygun01 ,

To start off, I ended up getting MGAD from MegaUpload.com because the link you gave me wasn't working for me.

The site is not reliable, which also means the MGADiag you got from that location is also not reliable. Check here. It is outdated as well. In fact, megaupload has the characteristics of P2P, only in other forms. I suggest you to stay clear from it and also uninstall Mega Manager that is related to it. We will come the the MGADiag later after we get you to address a few things.

--------------------

Cracks / Keygens / Warez / Illegal softwares detected!!!

Your log indicates the presence and usage of one or more of the above. Very likely your computer got infected due to the illegal softwares or the illegitimate websites you visited to get them.

Please read the fourth post of the Forum Rules .

Note:
We do not support the use of illegal Pirated/Warez/Cracked software.

If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes.

If you still want help, please remove the illegal items from your computer, and if you still need the softwares, get legal ones from legitimate sources.
If you advised that the illegal softwares have been removed and I find it otherwise (the tools we use can and will detect them), then I will have no choice but to have this topic closed.
If there are more such new findings after this, the topic will also be closed.

Please remove/uninstall the following before we continue:
All your Adobe CS4 programs and the other crack programs you tried to hide.

Please post a new CKScanner log.

[rustygun01]

Alrighty. I read through the rules and removed pretty much anything that would hinder you from helping me. I may or may not have missed a few files here or there, but nothing from what I can see/find goes against the rules this time. Sorry about that.

I re-did the ckscanner and ran a new DDS Attach for you.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\alaplaya\loco\animations\devilcrack.ukx
c:\program files\alaplaya\loco\animations\naturecrack.ukx
c:\program files\alaplaya\loco\animations\set1devilpropcrack.ukx
c:\program files\alaplaya\loco\animations\set1naturepropcrack.ukx
c:\program files\alaplaya\loco\animations\set1otherpropcrack.ukx
c:\program files\alaplaya\loco\animations\set2otherpropcrack.ukx
c:\program files\bethesda softworks\morrowind\data files\icons\i_pf_crackhammer.tga
c:\program files\bethesda softworks\morrowind\data files\meshes\weapons\pf_crackhammer.nif
c:\program files\bethesda softworks\morrowind\data files\textures\pf_crackhammer.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_crackedplaster00.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth01.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth03.dds
hosts 127.0.0.1 practivate.adobe.com
scanner sequence 3.JD.11
----- EOF -----

Also, I took your tip and uninstalled Mega Manager. My computer actually got infected when I was getting an add-on for Minecraft, a computer game. I can't remember the site, but I was looking for an application to help map a world and ended up getting infected. I wasn't very intelligent to download it without scanning the file.

Also, as a side note, I did get rid of Adobe Creative Suite 4, but it keeps saying that it can't uninstall 1 part of Adobe because it's in use. I'm uncertain to what it is, but it isn't an application so I'm assuming it's a service that is being used. Because of that one section that can't be uninstalled, it won't remove itself from my Programs and Features. I am looking into it and I'll post back as soon as I figure out how to remove it completely.

[Jack&Jill]

Hello rustygun01 ,

Thank you for removing all the illegal items. Have you tried uninstalling the balance Adobe CS4 programs as soon as after a new start up of the computer?

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Lets make way for MGADiag so that you can download and run it.

Clear TCP

• Open Notepad. Copy and paste the following text into it:
  
  Code:

  @echo off
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NameServer" /f
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{979D4F56-CD33-4913-823C-4FFDC412C0AF}" /v "NameServer" /f
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D1B63795-7986-47A5-961C-D7B144828249}" /v "NameServer" /f
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NameServer" /f
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{979D4F56-CD33-4913-823C-4FFDC412C0AF}" /v "NameServer" /f
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D1B63795-7986-47A5-961C-D7B144828249}" /v "NameServer" /f
  ipconfig /flushdns
  del %0

• Save it as ClearTCP.bat on the desktop. Make sure the Save as type: is All Files (*.*).
• Double click on ClearTCP.bat to run it. Allow if prompted by any security software.

Please reboot you computer.

--------------------

Validate Windows

• Please download MGADiag.exe from Microsoft and save it to a convenient location. Click here.
• Double click on MGADiag.exe to run it.
• Click Continue.
• The program will run. It takes a while to finish the diagnosis, please be patient.
• Once done, click on Copy.
• Open Notepad and paste the contents in. Save this file and post it in your next reply.

--------------------

Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.

Please download GMER and save it to your desktop. Click here.

• Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
• If you need help to disable your protection programs see here and here.
• Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
• In the right panel, you will see several boxes that have been checked (ticked).
  
  • Uncheck IAT/EAT
  • Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
  • Uncheck Show All (don't miss this one)
• Then click the Scan button and wait for it to finish.
• Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
• Enable back your security softwares as soon as you completed the GMER steps.
  Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

If you are having problems running this version of GMER, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.

--------------------

Please post back:
1. the answer to my question about Adobe CS4
2. MGADiag result
3. GMER log

[rustygun01]

I've actually tried that and running it in safe mode to uninstall it and I keep getting the same error message when uninstalling. When I googled the problem, all that came up was problems installing that specific part of the suite. I have no programs that start up at start-up so I'm strongly thinking that it's a service and I don't mess with those enough to know which one is causing the problem.

I didn't have any problems opening the link this time, thank you. I ran the MGADiag without any problems as well. It's in the zip that's attached. On a side note for Gmer, the first time I ran it my computer shutdown. I wasn't watching so I don't know what happened, but it worked fine the second time I ran it. The Gmer log is also in the zip that's attached.


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-44V4P-2GQFR-MFQDR
Windows Product Key Hash: y0/thimbRcU8fUGzOd0S+qX2wUw=
Windows Product ID: 89578-OEM-7359623-29556
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.100608-0458
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MFQDR</PKey><PID>89578-OEM-7359623-29556</PID><PIDType>3</PIDType><SID>S-1-5-21-2005747108-265105218-770747461</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>1101 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081226000000.000000+000</Date></BIOS><HWID>3F333507018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>US Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65321</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.0.6002.18005
Name: Windows(TM) Vista, HomePremium edition
Description: Windows Operating System - Vista, OEM_COA_NSLP channel
Activation ID: f3acdd3c-119a-4932-a3d7-0b6f33a1dca9
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89578-00146-596-229556-02-1033-6000.0000-0902009
Installation ID: 012201058245321803361291947703482931519804947025796543
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43473
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43474
Use License URL: http://go.microsoft.com/fwlink/?LinkID=43476
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43475
Partial Product Key: MFQDR
License Status: Licensed

Windows Activation Technologies-->
N/A

HWID Data-->
HWID Hash Current: OgAAAAEABAABAAEAAwABAAAAAwABAAEA6GGCe8CEMNoCG1TyEDNkXxbQje/y9J4vWOc/GCjhrFaonA==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC 122608 APIC1458
FACP 122608 FACP1458
HPET 122608 OEMHPET
MCFG 122608 OEMMCFG
OEMB 122608 OEMB1458
SSDT A M I POWERNOW


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-22 13:20:03
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HDP725050GLA360 rev.GM4OA5CA
Running: s6j75x23.exe; Driver: C:\Users\rusty\AppData\Local\Temp\fglcrpow.sys


---- System - GMER 1.0.15 ----

INT 0x52 ? 85B0BF00
INT 0x62 ? 85B0BF00
INT 0x71 ? 84B21BF8
INT 0x72 ? 85B0BF00
INT 0x72 ? 85B0BF00
INT 0x72 ? 85B0BF00
INT 0x81 ? 84B21BF8
INT 0x91 ? 84B21BF8
INT 0xA1 ? 85B0BF00
INT 0xA1 ? 85B0BF00
INT 0xA1 ? 85B0BF00

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spxh.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\DRIVERS\AtiPcie.sys entry point in ".rsrc" section [0x8B5C1014]
.text USBPORT.SYS!DllUnload 93F9C41B 5 Bytes JMP 85B0B4E0
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9FE0F300, 0x3AF78, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9FE56300, 0x1BCE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 858E31F8
Device \Driver\volmgr \Device\VolMgrControl 84B231F8
Device \Driver\usbohci \Device\USBPDO-0 868E61F8
Device \Driver\usbohci \Device\USBPDO-1 868E61F8
Device \Driver\usbehci \Device\USBPDO-2 8684A1F8
Device \Driver\usbohci \Device\USBPDO-3 868E61F8
Device \Driver\usbohci \Device\USBPDO-4 868E61F8
Device \Driver\usbehci \Device\USBPDO-5 8684A1F8
Device \Driver\usbohci \Device\USBPDO-6 868E61F8
Device \Driver\volmgr \Device\HarddiskVolume1 84B231F8
Device \Driver\cdrom \Device\CdRom0 8684C1F8
Device \Driver\volmgr \Device\HarddiskVolume2 84B231F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-2 85A0EAEA
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort0 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort1 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort2 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort3 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-5 85A0EAEA
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-5 858E21F8
Device \Driver\volmgr \Device\HarddiskVolume3 84B231F8
Device \Driver\USBSTOR \Device\00000073 875D61F8
Device \Driver\USBSTOR \Device\00000074 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume4 84B231F8
Device \Driver\USBSTOR \Device\00000075 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume5 84B231F8
Device \Driver\USBSTOR \Device\00000076 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume6 84B231F8
Device \Driver\USBSTOR \Device\00000069 875D61F8
Device \Driver\USBSTOR \Device\00000077 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume7 84B231F8
Device \Driver\netbt \Device\NetBt_Wins_Export 87504500
Device \Driver\USBSTOR \Device\00000078 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume8 84B231F8
Device \Driver\Smb \Device\NetbiosSmb 875011F8
Device \Driver\BTHUSB \Device\00000079 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\iScsiPrt \Device\RaidPort0 868E81F8
Device \Driver\USBSTOR \Device\0000006c 875D61F8
Device \Driver\usbohci \Device\USBFDO-0 868E61F8
Device \Driver\netbt \Device\NetBT_Tcpip_{D1B63795-7986-47A5-961C-D7B144828249} 87504500
Device \Driver\usbohci \Device\USBFDO-1 868E61F8
Device \Driver\BTHUSB \Device\0000007b bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\usbehci \Device\USBFDO-2 8684A1F8
Device \Driver\usbohci \Device\USBFDO-3 868E61F8
Device \Driver\usbohci \Device\USBFDO-4 868E61F8
Device \Driver\usbehci \Device\USBFDO-5 8684A1F8
Device \Driver\usbohci \Device\USBFDO-6 868E61F8
Device \Driver\netbt \Device\NetBT_Tcpip_{979D4F56-CD33-4913-823C-4FFDC412C0AF} 87504500
Device \FileSystem\cdfs \Cdfs 881E01F8
Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA5CA#5&2e153c89&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616fb497 0x65 0xD8 0x89 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616ff0a2 0xC3 0x93 0x0F 0x82 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFE 0x42 0x71 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x19 0xCA 0x0A 0x8F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x38 0x34 0x28 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xF8 0x3C 0xF1 0x51 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xCE 0xDD 0xE7 0x81 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0x25 0x52 0x59 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616fb497 0x65 0xD8 0x89 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616ff0a2 0xC3 0x93 0x0F 0x82 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFE 0x42 0x71 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x19 0xCA 0x0A 0x8F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x38 0x34 0x28 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xF8 0x3C 0xF1 0x51 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xCE 0xDD 0xE7 0x81 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0x25 0x52 0x59 0x1E ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 976772912 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\AtiPcie.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

[Jack&Jill]

Hello rustygun01 ,

You might want to try Revo Uninstaller to see if you can uninstall the remaining Adobe CS4.

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Disable CD Emulation drivers

• Please download DeFogger© by jpshortstuff and save it to your desktop. Click here.
• Double click on DeFogger.exe to run the tool.
• The application window will appear.
• Click the Disable button to disable your CD Emulation drivers.
• Click Yes to continue.
• A Finished! message will appear, then click OK.
• DeFogger will now ask to reboot the machine, click OK.
• DO NOT re-enable these drivers until otherwise instructed.

If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

--------------------

Please download ComboFix© by sUBs from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Run ComboFix

• Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
• If you need help to disable your protection programs see here and here.
• Double click on ComboFix.exe and follow the prompts.
• When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
• If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
• Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

I do not see any Antivirus (AV) installed on your machine. AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected. Please download and install an AV from one of the links below:

Avast
Avira
Microsoft Security Essentials

Please keep only one AV installed.

--------------------

Please post back:
1. the ComboFix log