click.giftload

[yellowhawk]

Hello, my computer is infected with this virus. Os is windows xp, currently have spybot search and destroy on my system. it can find and locate but not remove the virus. any help would be greatly appreciated.
Thanks again.

[Blottedisk]

Hi yellowhawk,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Please follow these steps in order:


Step 1 | Download DDS from any of the links below:

Link 1
Link 2
Link 2

--------------------------------------------------------------------

• Save it to your desktop.
• Please disable any anti-malware program that will block scripts from running before running DDS.
• Double-Click on dds and a command window will appear. This is normal.
• Shortly after two logs will appear:
  
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs.
• Save the logs to a convenient place such as your desktop.
• Post the contents of the DDS.txt report in your next reply.
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Step 2 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Make sure all options are checked except:
  
  • IAT/EAT
  • Drives/Partition other than Systemdrive, which is typically C:\
  • Show All (This is important, so do not miss it.)

Click the image to enlarge it

• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Step 3 | Please download aswMBR to your desktop.

• Double click the aswMBR icon to run it.
  Vista and Windows 7 users right click the icon and choose "Run as administrator".
• Click the Scan button to start scan.
• When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it


Step 4 | Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Please post the contents of that file.

[yellowhawk]

Thanks so much for taking the time to help. I downloaded the dds and ran it but only one file appeared. I'm posting that now.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Albert at 12:46:39 on 2011-06-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.205 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Outdated* {B5510F6F-87E1-47F7-A411-360BC453007C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: adfabqibpr Object: {1dab052a-0631-4a71-91e2-33d7f4001e32} - c:\windows\$xntuninstall643$\uolrq.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: brumabqibgrm Object: {caeb7882-f486-4ff6-8f2b-d14219b4f129} - c:\windows\$xntuninstall643$\mkvxl.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ASH24SXZ9S] c:\documents and settings\albert\local settings\temp\Fbz.exe
uRun: [765705838] c:\documents and settings\networkservice\local settings\application data\kuo.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; WinNT-PAI 01.08.2009; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://www.candystand.com/play-random-game?utm_source=adon_113124_40014&utm_medium=cpc&utm_campaign=adon2010"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe
mRun: [GhostStartTrayApp] c:\program files\norton systemworks\norton ghost\GhostStartTrayApp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bipro] rundll32 "c:\windows\$xntuninstall643$\uolrq.dll",,Run
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [3702553843] c:\documents and settings\networkservice\local settings\application data\yom.exe
dRun: [765705838] c:\documents and settings\networkservice\local settings\application data\kuo.exe
StartupFolder: c:\docume~1\albert\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\albert\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{83DA6355-3187-4157-B0F6-B56770CA6A41} : DhcpNameServer = 192.168.1.254
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 184.95.59.211 www.google.com
Hosts: 184.95.59.212 search.yahoo.com
Hosts: 184.95.59.212 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-11-20 4064]
R1 GhPciScan;GhostPciScanner;c:\program files\norton systemworks\norton ghost\GhPciScan.sys [2002-8-14 5632]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
R2 MrHealthyService;MrHealthy;c:\program files\norton pc checkup\executables\mrhealthy\mrhealthy.exe -service --> c:\program files\norton pc checkup\executables\mrhealthy\MrHealthy.exe -service [?]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2002-8-19 116336]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-2-15 135168]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
R2 SDFirewallService;Spybot-S&D 2 Firewall Service;c:\program files\spybot - search & destroy 2\SDFWSvc.exe [2011-6-21 3585696]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110105.003\NAVENG.Sys [2004-10-11 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110105.003\NavEx15.Sys [2004-10-11 1360760]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-14 54408]
S2 SDMonitorService;Spybot-S&D 2 Monitoring Service;c:\program files\spybot - search & destroy 2\SDMonSvc.exe [2011-6-21 3834456]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-6-21 3515656]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-6-21 3769048]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2011-6-21 167040]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
.
=============== Created Last 30 ================
.
2012-04-28 19:26:45 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-04-28 19:26:45 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-22 01:33:11 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-06-22 01:32:53 770384 ----a-w- c:\windows\system32\msvcr100.dll
2011-06-22 01:32:53 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-06-22 01:32:52 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-06-21 17:30:59 1134 ----a-w- C:\FixNCR.reg
2011-06-21 06:38:46 7866472 ----a-w- C:\mseinstall.exe
2011-06-20 19:00:03 -------- d-----w- c:\windows\$XNTUninstall643$
2011-06-20 18:59:30 -------- d-----w- c:\documents and settings\all users\application data\WSTB
2011-06-15 20:47:17 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-04 20:50:18 -------- d-----w- c:\documents and settings\all users\application data\WorldWinner
.
==================== Find3M ====================
.
2011-06-16 14:57:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 12:48:50.76 ===============
what should i do next?

[yellowhawk]

sorry found the other file.

[yellowhawk]

Here is the gmer.log
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-27 16:55:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Maxtor_6 rev.YAR5
Running: gmer.exe; Driver: C:\DOCUME~1\Albert\LOCALS~1\Temp\fwkcipog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E8000A
.text C:\WINDOWS\explorer.exe[508] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E9000A
.text C:\WINDOWS\explorer.exe[508] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E3000C
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AE000A
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AC000C
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02BE000A
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 02BF000A
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 02C0000A
.text C:\WINDOWS\System32\svchost.exe[1168] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 02BD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009F000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device ECAD3D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:568] EDBCF630
Thread System [4:572] EDBC1140

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Control@CurrentUser USERNAME
Reg HKLM\SYSTEM\ControlSet002\Control@WaitToKillServiceTimeout 20000
Reg HKLM\SYSTEM\ControlSet002\Control@SystemStartOptions NOEXECUTE=OPTIN FASTDETECT
Reg HKLM\SYSTEM\ControlSet002\Control@SystemBootDevice multi(0)disk(0)rdisk(0)partition(1)
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@DependOnGroup
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@DependOnService Netman?WinMgmt?
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@Description Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@DisplayName Windows Firewall/Internet Connection Sharing (ICS)
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@Start 4
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@EnableFirewall 0
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@DisableNotifications 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\RECYCLER\NPROTECT 0 bytes
File C:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes

---- EOF - GMER 1.0.15 ----

[yellowhawk]

here is the aswMBR log
aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-27 16:59:17
-----------------------------
16:59:17.531 OS Version: Windows 5.1.2600 Service Pack 3
16:59:17.531 Number of processors: 1 586 0x304
16:59:17.546 ComputerName: FAMILY_COMPUTER UserName: Albert
16:59:19.359 Initialize success
17:00:06.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:00:06.125 Disk 0 Vendor: Maxtor_6 YAR5 Size: 76293MB BusType: 3
17:00:06.125 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
17:00:06.140 Disk 1 Vendor: WDC_WD25 08.0 Size: 238418MB BusType: 3
17:00:06.156 Disk 0 MBR read successfully
17:00:06.171 Disk 0 MBR scan
17:00:06.187 Disk 0 TDL4@MBR code has been found
17:00:06.203 Disk 0 Windows XP default MBR code found via API
17:00:06.218 Disk 0 MBR hidden
17:00:06.234 Disk 0 MBR [TDL4] **ROOTKIT**
17:00:06.250 Disk 0 trace - called modules:
17:00:06.265 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x868504d0]<<
17:00:06.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b8bab8]
17:00:06.312 3 CLASSPNP.SYS[f74e4fd7] -> nt!IofCallDriver -> [0x867a2788]
17:00:08.546 \Driver\iastor[0x86b786c0] -> IRP_MJ_CREATE -> 0x868504d0
17:00:08.656 Scan finished successfully
17:00:25.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Albert\Desktop\MBR.dat"
17:00:25.843 The log file has been saved successfully to "C:\Documents and Settings\Albert\Desktop\aswMBR.log"

[yellowhawk]

Here is the MBRCheck

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 153):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0x86797000 \WINDOWS\system32\KDCOM.DLL
0xF78B8000 \WINDOWS\system32\BOOTVID.dll
0xF7455000 ACPI.sys
0xF79A4000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7444000 pci.sys
0xF74A4000 isapnp.sys
0xF7A6C000 pciide.sys
0xF7724000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF79A6000 intelide.sys
0xF74B4000 MountMgr.sys
0xF7425000 ftdisk.sys
0xF79A8000 dmload.sys
0xF73FF000 dmio.sys
0xF772C000 PartMgr.sys
0xF74C4000 VolSnap.sys
0xF73E7000 atapi.sys
0xF7372000 iaStor.sys
0xF74D4000 disk.sys
0xF74E4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7352000 fltmgr.sys
0xF7340000 sr.sys
0xF732B000 drvmcdb.sys
0xF7734000 PxHelp20.sys
0xF7314000 KSecDD.sys
0xF7287000 Ntfs.sys
0xF725A000 NDIS.sys
0xF7240000 Mup.sys
0xF75C4000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6872000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF7824000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF684E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF782C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF681A000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF67F7000 \SystemRoot\system32\DRIVERS\ks.sys
0xF66F8000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6651000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7834000 \SystemRoot\System32\Drivers\Modem.SYS
0xF64FA000 \SystemRoot\system32\drivers\P17.sys
0xF64D6000 \SystemRoot\system32\drivers\portcls.sys
0xF75D4000 \SystemRoot\system32\drivers\drmk.sys
0xF64A6000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xF6480000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xF783C000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF75F4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7844000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF646C000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7604000 \SystemRoot\system32\DRIVERS\serial.sys
0xF6DDD000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7614000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF784C000 \SystemRoot\system32\drivers\Afc.sys
0xF79FC000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF7624000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7634000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7854000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7BC8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7644000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6DCD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6455000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7654000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7664000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF785C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6444000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7674000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7864000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF786C000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7684000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF6414000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF6930000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7874000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A00000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF63B6000 \SystemRoot\system32\DRIVERS\update.sys
0xF7960000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7594000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF0148000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79CC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF0BBC000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF79CE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEE6E1000 \SystemRoot\System32\Drivers\Null.SYS
0xF79D0000 \SystemRoot\System32\Drivers\Beep.SYS
0xF0BAC000 \SystemRoot\system32\drivers\ssrtln.sys
0xF0BA4000 \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys
0xEE6DF000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xF0222000 \SystemRoot\System32\drivers\vga.sys
0xEDD96000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF79D2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79D4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF021A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF0212000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF03F8000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF020A000 \SystemRoot\System32\Drivers\NDISRD.SYS
0xEDD63000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDD0A000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEDCE2000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDCC0000 \SystemRoot\System32\drivers\afd.sys
0xF0108000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEDC95000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDC25000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF00F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xF00E8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF0202000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEF909000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xEFF7A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF01FA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xEF905000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF01F2000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xEF901000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF1430000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xF114C000 \??\C:\WINDOWS\system32\Drivers\SAVRTPEL.SYS
0xF0986000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEB7D7000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF0924000 \SystemRoot\System32\drivers\Dxapi.sys
0xF0ABA000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xEDF3C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBF012000 \SystemRoot\System32\ATMFD.DLL
0xEFF6A000 \SystemRoot\system32\drivers\drvnddm.sys
0xEDE1B000 \SystemRoot\system32\dla\tfsndres.sys
0xEB3C1000 \SystemRoot\system32\dla\tfsnifs.sys
0xF79A0000 \SystemRoot\system32\dla\tfsnopio.sys
0xF082E000 \SystemRoot\system32\dla\tfsnpool.sys
0xF01EA000 \SystemRoot\system32\dla\tfsnboio.sys
0xEFF5A000 \SystemRoot\system32\dla\tfsncofs.sys
0xEDE1A000 \SystemRoot\system32\dla\tfsndrct.sys
0xEB3A8000 \SystemRoot\system32\dla\tfsnudf.sys
0xEB38F000 \SystemRoot\system32\dla\tfsnudfa.sys
0xF57F7000 \SystemRoot\system32\DRIVERS\mdc8021x.sys
0xEB364000 \??\C:\WINDOWS\system32\Drivers\SYMTDI.SYS
0xF57EF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEB297000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF00E6000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF6396000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xEB2F4000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEB1C7000 \SystemRoot\system32\DRIVERS\srv.sys
0xEBCCB000 \SystemRoot\system32\drivers\wdmaud.sys
0xEFF3A000 \SystemRoot\system32\drivers\sysaudio.sys
0xEB8ED000 \??\C:\WINDOWS\system32\Drivers\SYMREDRV.SYS
0xED600000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xED578000 \??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
0xED36C000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110105.003\NAVENG.Sys
0xED32B000 \SystemRoot\System32\Drivers\HTTP.sys
0xED1B8000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110105.003\NavEx15.Sys
0xED178000 \??\C:\WINDOWS\system32\Drivers\SAVRT.SYS
0xECB41000 \??\C:\DOCUME~1\Albert\LOCALS~1\Temp\fwkcipog.sys
0xECB1B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xECACC000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xECAA1000 \SystemRoot\system32\drivers\kmixer.sys
0xECA34000 \SystemRoot\system32\DRIVERS\rt73.sys
0xEBB3D000 \??\C:\DOCUME~1\Albert\LOCALS~1\Temp\aswMBR.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 60):
0 System Idle Process
4 System
728 C:\WINDOWS\system32\smss.exe
800 csrss.exe
824 C:\WINDOWS\system32\winlogon.exe
872 C:\WINDOWS\system32\services.exe
884 C:\WINDOWS\system32\lsass.exe
1060 C:\WINDOWS\system32\svchost.exe
1124 svchost.exe
1168 C:\WINDOWS\system32\svchost.exe
1256 svchost.exe
1420 svchost.exe
1624 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1748 C:\WINDOWS\system32\LEXBCES.EXE
1788 C:\WINDOWS\system32\LEXPPS.EXE
1796 C:\WINDOWS\system32\spoolsv.exe
1916 svchost.exe
1956 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1976 C:\Program Files\Bonjour\mDNSResponder.exe
2012 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
2044 C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
216 C:\Program Files\Java\jre6\bin\jqs.exe
228 C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
260 C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
172 C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE
312 C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
432 C:\WINDOWS\system32\PnkBstrA.exe
540 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
632 C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe
996 C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
2680 C:\WINDOWS\system32\svchost.exe
2768 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2828 C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe
2864 C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe
2880 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2896 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
2908 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2916 C:\WINDOWS\system32\DLA\tfswctrl.exe
2940 C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
2956 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2964 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3048 C:\Program Files\iTunes\iTunesHelper.exe
3064 C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
3080 C:\WINDOWS\system32\ctfmon.exe
3088 C:\Program Files\Messenger\msmsgs.exe
3096 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3772 C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
3548 C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
2836 C:\Program Files\Internet Explorer\iexplore.exe
3840 C:\Program Files\iPod\bin\iPodService.exe
3304 C:\Program Files\Internet Explorer\iexplore.exe
2704 unsecapp.exe
508 C:\WINDOWS\explorer.exe
3140 C:\WINDOWS\system32\notepad.exe
2456 alg.exe
2308 C:\Program Files\Internet Explorer\iexplore.exe
332 C:\Program Files\Internet Explorer\iexplore.exe
3280 C:\WINDOWS\system32\notepad.exe
3340 C:\WINDOWS\system32\notepad.exe
2620 C:\Documents and Settings\Albert\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6Y080M0, Rev: YAR51HW0
PhysicalDrive1 Model Number: WDCWD2500JD-75HBB0, Rev: 08.02D08

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive1 Dell MBR code detected
SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365


Done!

[Blottedisk]

Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malware is very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
  paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
  credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Please visit the following and have a look how you can disable your security software.

How to disable your security programs

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

• Double click on Combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix

[yellowhawk]

Thanks so much for your reply, I think i'm going to take your advice and wipe the hard drive. I had noticed that while using the computer the browser would open sometimes all by itself and go to different websites, ususally advertisements. Thanks again for your help.
Take care
Al

[Blottedisk]

You are welcome

Best Regards.