Click.giftload keeps coming back, Google search results redirect

Status
Not open for further replies.
F

felix_phillips

New member
So. A while ago I noticed that Google search results redirect to something totally different then the link I clicked. Lots of "Facebook surveys," lots of fake search engines, etc. Getting worried, I went and got Spybot S&D, Ad-Aware, Malwarebytes, and CCleaner. Been running scans with them nearly every day for... two weeks maybe? Most scans don't find anything, but Spybot started finding "click.giftload," and while it's able to remove it, it just comes back. When today my computer went through the "Windows failed to start, please choose safe mode or start windows normally or use last known settings that worked" 5-8 times in a row I said "screw this, I'm asking for help." So here I am.

As per instructions, I won't run any more scans unless someone here tells me to.

Symptoms:
1) Google Search results sometimes/often direct me somewhere else entirely
2) Sometimes graphics change from Windows XP theme to Windows Classic, and the option is not there to change it back. Doesn't always happen though.
3) Minecraft (the game) only works if I run the .exe via a .bat file. Something about unable to start the java virtual machine. Not sure if this is related, but figured I might as well mention it.
4) Spybot finds click.giftload and removes it, but it comes back next time I turn on the computer.

DDS Log:


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ben at 0:00:41.95 on Sun 04/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.134 [GMT -6:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\WINDOWS\PLFSetI.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Ben\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\Ben\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\Desktop\BeipMU\BeipMU.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://global.acer.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyServer = http=127.0.0.1:53455
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [eRecoveryService] c:\program files\acer\empowering technology\erecovery\eRAgent.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ben\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\c67mdut8.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\ben\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-3-7 176136]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-5 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-13 14336]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-3-28 1242504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-4 1405384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-4 15232]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-5-13 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-6-12 43608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2008-5-28 22072]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-1 38224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\TpChoice.sys [2007-12-25 17968]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-30 19:03:49 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-03-26 19:09:25 -------- d-----w- C:\317bb37b7087d03d9fb4
2011-03-26 19:08:53 -------- d-----w- C:\c412b583335e06bfc5d36f7ea4
2011-03-14 04:29:06 -------- d-----w- C:\9f4842b56dc6715b1987c669f9712195
2011-03-14 04:28:39 -------- d-----w- C:\dda3748e091980e003ec6d2272b9
2011-03-13 19:42:49 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-13 19:42:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-12 04:59:35 -------- d-----w- c:\program files\CCleaner
2011-03-11 06:24:32 -------- d-----w- c:\docume~1\ben\applic~1\HpUpdate
2011-03-11 06:24:17 -------- d-----w- c:\windows\Hewlett-Packard
2011-03-05 21:37:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-05 20:59:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-05 20:59:02 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-05 20:57:58 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\Sunbelt Software
2011-03-05 20:54:04 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{A5847AFF-A1FE-4929-A3C0-16C23AB1D29D}
2011-03-05 20:52:55 -------- d-----w- c:\program files\Lavasoft
.
==================== Find3M ====================
.
2011-03-30 19:03:52 1409 ----a-w- c:\windows\QTFont.for
2011-03-13 00:05:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-13 00:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 04:42:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-07 04:42:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.1.10 -> Harddisk0\DR0 -> \Device\Scsi\ahcix861
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2EE439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2f47b8]; MOV EAX, [0x8a2f4834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A30E030]
3 CLASSPNP[0xBA168FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000b6[0x8A80E258]
5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A80DA38]
\Driver\ahcix86[0x8A83CD40] -> IRP_MJ_CREATE -> 0x8A2EE439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:06:52.93 ===============
 
Hi felix_phillips,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malware is very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
    paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
    credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please open SpyBot S&D


  • Check for problems.
  • When the scan completes, right click on the results list, select "Copy results to clipboard".
  • Paste (Ctrl+V) those results in your next reply.


Step 2 | Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
    Vista and Windows 7 users right click the icon and choose "Run as administrator".
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


Click the image to enlarge it


Step 3 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

gmer_zip.gif


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)


Click the image to enlarge it

  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
 
Okay. Good to know. I can't wipe/reinstall until the end of the month, because I am currently away at university and thus away from the windows install disks. I'll try to repair it for now, and wipe&reinstall in a month when I get back home, because I can't not use my computer on account of school. I'm at the university right now, but I'll run the tools you suggested when I get home this afternoon/evening.

Some questions:

I have a 4GB USB stick I use to transfer files back and forth from my computer at home to the university. Is there a possibility that it is infected? Can it spread the infection to other computers? If so, how do I wipe it?

How to I back up my documents without accidentally backing up the infection too?

I also have a Dropbox, some of the folders of which I'm sharing with other people. Can they get infected via the Dropbox? ( http://www.dropbox.com )

Additionally:

My computer is mostly used for schoolwork, email, and games. I've done a little bit of Internet banking, so I'll call my bank as soon as I'm done making this post. Don't have a credit card, but someone else used their credit card once four months ago, about three months before symptoms started showing up. Is their information in danger?

In the process now of changing all my passwords. Passwords that I'm not going to tell my infected computer.
 
Hi felix_phillips,


I would be glad to help you removing your current infections, until you can perform the reformat. If you would like to do so, then please follow the steps I gave you in my previous post, when you feel ready to start.


I have a 4GB USB stick I use to transfer files back and forth from my computer at home to the university. Is there a possibility that it is infected? Can it spread the infection to other computers? If so, how do I wipe it?
Click to expand...


If it is infected, then it will most probable infect any computer that it is pluged in. Just keep it pluged-in during the malware removal process, and we will take care of it.


How to I back up my documents without accidentally backing up the infection too?
Click to expand...


This infection does not alter documents, pictures, saved games, etc. However I would suggest you not to backup your data until we have finished with the malware removal process, especially if you are using an automatic backup tool (as I don't know what else it could backup).


I also have a Dropbox, some of the folders of which I'm sharing with other people. Can they get infected via the Dropbox? ( http://www.dropbox.com )
Click to expand...


I dont think so, the infection doesn't work like that. If any of the files within the Dropbox folder is infected, the online scanner we are gonna run will tell. However (and I recommend you do this) you can also upload the files to VirusTotal: http://www.virustotal.com/


My computer is mostly used for schoolwork, email, and games. I've done a little bit of Internet banking, so I'll call my bank as soon as I'm done making this post. Don't have a credit card, but someone else used their credit card once four months ago, about three months before symptoms started showing up. Is their information in danger?
Click to expand...


It depends on how long the infection have been lurking around. The Click.Giftload scheme was introduced by Spybot S&D on March, so yes, chances are that you became infected before.


In the process now of changing all my passwords. Passwords that I'm not going to tell my infected computer.
Click to expand...

:bigthumb:
 
Here are the logs you need. Thanks for the speedy replies to my questions, they were really helpful. :)


Spybot S&D Log:

Code: 
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
  

Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
  


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-04 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

aswMBR Log:

Code: 
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 14:26:10
-----------------------------
14:26:10.171    OS Version: Windows 5.1.2600 Service Pack 3
14:26:10.171    Number of processors: 2 586 0x301
14:26:10.171    ComputerName: ACER-A3FE35D430  UserName: Ben
14:26:14.250    Initialize success
14:26:24.984    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861
14:26:25.031    Disk 0 Vendor: Hitachi_ 1.10 Size: 152627MB BusType: 1
14:26:25.109    Device \Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:26:25.187    Device \Driver\ahcix86 -> DriverStartIo 8a2d927f
14:26:27.265    Disk 0 MBR read successfully
14:26:27.359    Disk 0 MBR scan
14:26:27.453    Disk 0 TDL4@MBR code has been found
14:26:27.562    Disk 0 MBR hidden
14:26:27.671    Disk 0 MBR [TDL4]  **ROOTKIT**
14:26:27.781    Disk 0 trace - called modules:
14:26:27.921    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a2d9439]<<
14:26:28.046    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2f8030]
14:26:28.187    3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\000000b6[0x8a847258]
14:26:28.343    5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> [0x8a82da38]
14:26:28.500    \Driver\ahcix86[0x8a843680] -> IRP_MJ_CREATE -> 0x8a2d9439
14:26:28.703    Scan finished successfully

Gmer Log:

Code: 
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-04 15:20:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\ahcix861 Hitachi_ rev.1.10
Running: 7ljmggj8.exe; Driver: C:\DOCUME~1\Ben\LOCALS~1\Temp\ufacakog.sys


---- System - GMER 1.0.15 ----

SSDT            Lbd.sys (Boot Driver/Lavasoft AB)                                                                                                                            ZwCreateKey [0xBA17887E]
SSDT            sphf.sys                                                                                                                                                     ZwEnumerateKey [0xB9ECDDA4]
SSDT            sphf.sys                                                                                                                                                     ZwEnumerateValueKey [0xB9ECE132]
SSDT            sphf.sys                                                                                                                                                     ZwOpenKey [0xB9EB50C0]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwOpenProcess [0xB93B56C0]
SSDT            sphf.sys                                                                                                                                                     ZwQueryKey [0xB9ECE20A]
SSDT            sphf.sys                                                                                                                                                     ZwQueryValueKey [0xB9ECE08A]
SSDT            Lbd.sys (Boot Driver/Lavasoft AB)                                                                                                                            ZwSetValueKey [0xBA178BFE]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwTerminateProcess [0xB93B5770]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwTerminateThread [0xB93B5810]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwWriteVirtualMemory [0xB93B58B0]

INT 0x73        ?                                                                                                                                                            8A142E58
INT 0x94        ?                                                                                                                                                            8A142E58
INT 0x94        ?                                                                                                                                                            8A142E58
INT 0x94        ?                                                                                                                                                            8A142E58
INT 0xA4        ?                                                                                                                                                            8A90FBF8

---- Kernel code sections - GMER 1.0.15 ----

?               sphf.sys                                                                                                                                                     The system cannot find the file specified. !
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                                                                     section is writeable [0xB8238000, 0x189FCA, 0xE8000020]
.text           USBPORT.SYS!DllUnload                                                                                                                                        B80548AC 5 Bytes  JMP 8A142438 
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3C4 3 Bytes  [00, 80, 02]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3C9 1 Byte  [30]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3C9 11 Bytes  [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text           ...                                                                                                                                                          
?               C:\DOCUME~1\Ben\LOCALS~1\Temp\aswMBR.sys                                                                                                                     The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!NtProtectVirtualMemory                                                                                        7C90D6EE 5 Bytes  JMP 0071000A 
.text           C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!NtWriteVirtualMemory                                                                                          7C90DFAE 5 Bytes  JMP 00DC000A 
.text           C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!KiUserExceptionDispatcher                                                                                     7C90E47C 5 Bytes  JMP 0070000C 
.text           C:\WINDOWS\system32\svchost.exe[844] USER32.dll!GetCursorPos                                                                                                 7E42974E 5 Bytes  JMP 00FB000A 
.text           C:\WINDOWS\system32\svchost.exe[844] USER32.dll!WindowFromPoint                                                                                              7E429766 5 Bytes  JMP 00FC000A 
.text           C:\WINDOWS\system32\svchost.exe[844] USER32.dll!GetForegroundWindow                                                                                          7E429823 5 Bytes  JMP 00FD000A 
.text           C:\WINDOWS\system32\svchost.exe[844] ole32.dll!CoCreateInstance                                                                                              774FF1AC 5 Bytes  JMP 00F0000A 
.text           C:\WINDOWS\Explorer.EXE[856] ntdll.dll!NtProtectVirtualMemory                                                                                                7C90D6EE 5 Bytes  JMP 00C2000A 
.text           C:\WINDOWS\Explorer.EXE[856] ntdll.dll!NtWriteVirtualMemory                                                                                                  7C90DFAE 5 Bytes  JMP 00C3000A 
.text           C:\WINDOWS\Explorer.EXE[856] ntdll.dll!KiUserExceptionDispatcher                                                                                             7C90E47C 5 Bytes  JMP 00B8000C 

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                                                                       8A8871F8

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                       AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device          \FileSystem\Fastfat \FatCdrom                                                                                                                                85CD21F8

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device          \Driver\USBSTOR \Device\000000cf                                                                                                                             8A14C330
Device          \Driver\NetBT \Device\NetBT_Tcpip_{6D26E4D1-C34F-40BE-830E-4037CE269D6E}                                                                                     8A0CC500
Device          \Driver\usbohci \Device\USBPDO-0                                                                                                                             8A13F500
Device          \Driver\usbohci \Device\USBPDO-1                                                                                                                             8A13F500
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                                                                    8A90D1F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                                                                      8A90D1F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                                                         8A90D1F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                                                        8A90D1F8
Device          \Driver\usbehci \Device\USBPDO-2                                                                                                                             8A115500
Device          \Driver\usbohci \Device\USBPDO-3                                                                                                                             8A13F500
Device          \Driver\usbehci \Device\USBPDO-4                                                                                                                             8A115500

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                    Lbd.sys (Boot Driver/Lavasoft AB)

Device          \Driver\NetBT \Device\NetBT_Tcpip_{BAD1109F-EA5B-4F7A-8EF8-3BC50C0CE419}                                                                                     8A0CC500
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                       8A89E1F8
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                                       8A89E1F8
Device          \Driver\Cdrom \Device\CdRom0                                                                                                                                 8A1621F8
Device          \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                                       8A89E1F8
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                                 8A1621F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{93277B27-BBF8-4BBC-A568-6E0D30B43B52}                                                                                     8A0CC500
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                                      8A0CC500
Device          \Driver\USBSTOR \Device\000000d0                                                                                                                             8A14C330
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                                             8A0CC500
Device          \Driver\PCI_PNP1216 \Device\00000085                                                                                                                         sphf.sys
Device          \Driver\sptd \Device\2396817466                                                                                                                              sphf.sys

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                    Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                  Lbd.sys (Boot Driver/Lavasoft AB)

Device          \Driver\usbohci \Device\USBFDO-0                                                                                                                             8A13F500
Device          \Driver\usbohci \Device\USBFDO-1                                                                                                                             8A13F500
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                                            895231F8
Device          \Driver\usbehci \Device\USBFDO-2                                                                                                                             8A115500
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                                  895231F8
Device          \Driver\usbohci \Device\USBFDO-3                                                                                                                             8A13F500
Device          \Driver\usbehci \Device\USBFDO-4                                                                                                                             8A115500
Device          \Driver\Ftdisk \Device\FtControl                                                                                                                             8A89E1F8
Device          \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861                                                                                                       8A2D927F
Device          \Driver\ahcix86 \Device\Scsi\ahcix861                                                                                                                        8A8891F8
Device          \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861Port0Path0TargetaLun0                                                                                  8A2D927F
Device          \Driver\ahcix86 \Device\Scsi\ahcix861Port0Path0TargetaLun0                                                                                                   8A8891F8
Device          \Driver\ag8j1lst \Device\Scsi\ag8j1lst1                                                                                                                      8A089500
Device          \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861Port0Path0Target1Lun0                                                                                  8A2D927F
Device          \Driver\ahcix86 \Device\Scsi\ahcix861Port0Path0Target1Lun0                                                                                                   8A8891F8
Device          \Driver\ag8j1lst \Device\Scsi\ag8j1lst1Port1Path0Target0Lun0                                                                                                 8A089500
Device          \FileSystem\Fastfat \Fat                                                                                                                                     85CD21F8

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                     fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                     AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device          \FileSystem\Cdfs \Cdfs                                                                                                                                       8A1C9500
Device          \Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}  device not found

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                         
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                              C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                              0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                              0
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                           0xD2 0x90 0x48 0x12 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                                                
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                     0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                                  0xB9 0x1E 0x1A 0xF9 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)                                           
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                             0x92 0xEB 0x25 0x71 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                         
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                              C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                              0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                              0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                           0xD2 0x90 0x48 0x12 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                                                
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                     0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                                  0xB9 0x1E 0x1A 0xF9 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)                                           
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                             0x92 0xEB 0x25 0x71 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                                           771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                                           285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                                           1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                          C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                          0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                          0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                       0xD2 0x90 0x48 0x12 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                                                    
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                 0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                              0xB9 0x1E 0x1A 0xF9 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                                                               
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                         0x92 0xEB 0x25 0x71 ...

---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0                                                                                                                                        TDL4@MBR code has been found                                                                                                                <-- ROOTKIT !!!
Disk            \Device\Harddisk0\DR0                                                                                                                                        sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
 
Hi felix_phillips,


Please follow these steps:


Step 1 | Let's create a new restore point. Please:
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • On the Welcome page, click Create a restore point.
  • On the Create a Restore Point page, enter a descriptive name for your restore point (i.e. malware removal), and then click Create.
  • The Restore Point Created page confirms that the new restore point has been created.


Step 2 | Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".

  • Click the Scan button to start scan.
  • When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.


Click the image to enlarge it
 
Hi Blottedisk;

When I rebooted, the computer went into a loop of "Windows didn't start correctly, choose safe mode, last known settings, or start normally." Whenever I picked an option, the windows XP laoding screen would pop up, the loading bar would scroll along... and then the screen switches for a frame or two to a blue screen with white text and then the cycle starts again. The blue screen happened too fast to make anything out - like I said, only lasted for a fraction of a second. All I know is that blue screens like that are usually really bad. Eventually I got fed up and killed the power by holding down the power button. Once the power was off, I removed the USB stick (the one that may or may not be infected) and turned it back on. The screen popped up again. I told it to start windows normally, and it worked.

Is there something simple I can to do avoid that, or is a giant warning sign from my computer about the infection?

System Restore Point is made.

aswMBR log:

Code: 
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 18:00:02
-----------------------------
18:00:02.078    OS Version: Windows 5.1.2600 Service Pack 3
18:00:02.078    Number of processors: 2 586 0x301
18:00:02.078    ComputerName: ACER-A3FE35D430  UserName: Ben
18:00:02.765    Initialize success
18:00:08.203    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861
18:00:08.265    Disk 0 Vendor: Hitachi_ 1.10 Size: 152627MB BusType: 1
18:00:08.312    Device \Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
18:00:08.390    Device \Driver\ahcix86 -> DriverStartIo 8a2d927f
18:00:10.468    Disk 0 MBR read successfully
18:00:10.562    Disk 0 MBR scan
18:00:10.640    Disk 0 TDL4@MBR code has been found
18:00:10.750    Disk 0 MBR hidden
18:00:10.843    Disk 0 MBR [TDL4]  **ROOTKIT**
18:00:10.968    Disk 0 trace - called modules:
18:00:11.078    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a2d9439]<<
18:00:11.187    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2f8030]
18:00:11.328    3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\000000b6[0x8a847258]
18:00:11.468    5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> [0x8a82da38]
18:00:11.625    \Driver\ahcix86[0x8a843680] -> IRP_MJ_CREATE -> 0x8a2d9439
18:00:11.796    Scan finished successfully
18:00:34.125    Disk 0 fixing MBR
18:00:44.296    Disk 0 MBR restored successfully
18:00:44.453    Infection fixed successfully - please reboot ASAP
 
Hi felix_phillips,


There have been a few cases of this tool having a hard time against TDSS. That was probable the result of trying to deal with such a heavy infection like this. However the aswMBR log shows that it has successfully removed it.


If you reboot the computer now, are these loop and blue screen still happening? Please let me know, as there's still more to be done.
 
Hi Blottedisk;

Rebooted as you requested. Started up as normal, no problems with "choose how to start your computer" loops or blue screens at all! The taskbar and windows are even back to their Windows XP theme state. (Although the theme tended to switch randomly between Windows XP and Windows Classic even before I came here and asked for help, so it may just be a coincidence.)
 
Hi felix_phillips,


Glad to hear that. Then let's proceed this way:


Please visit the following and have a look how you can disable your security software.

How to disable your security programs

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

  • Double click on Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
Hi Blottedisk;

Combofix wants me to uninstall AVG, despite having disabled it according to the instructions for disabling AVG 2011 here: http://www.bleepingcomputer.com/forums/topic114351.html , which was a link in the bleepingcomputer link you gave me (info for AVG 2011 is not in the whatthetech link you gave me). My trial for it runs out in a week anyway, but I know uninstalling and installing things at this point without your guidance is a bad idea. Please advise.
 
Hi felix_phillips,


Unfortunately AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the infection.

After uninstalling AVG from the Control Panel, also run the AVG remover tool from their site (download AVG Remover 32bit).

http://www.avg.com/us-en/download-tools


When finished, please continue with Combofix.
 
Uninstalled AVG. Here's the log you need.


ComboFix 11-04-04.01 - Ben 04/05/2011 13:27:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1023 [GMT -6:00]
Running from: c:\documents and settings\Ben\Desktop\Forum Help\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
C:\Microsoft
c:\webupdater\WebUpdater.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-03 05:58 . 2011-04-03 05:58 -------- d-----w- c:\program files\ERUNT
2011-03-30 19:03 . 2011-03-30 19:03 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-03-26 19:09 . 2011-03-26 19:09 -------- d-----w- C:\317bb37b7087d03d9fb4
2011-03-26 19:08 . 2011-03-26 19:08 -------- d-----w- C:\c412b583335e06bfc5d36f7ea4
2011-03-14 04:29 . 2011-03-14 04:29 -------- d-----w- C:\9f4842b56dc6715b1987c669f9712195
2011-03-14 04:28 . 2011-03-14 04:28 -------- d-----w- C:\dda3748e091980e003ec6d2272b9
2011-03-12 04:59 . 2011-03-12 04:59 -------- d-----w- c:\program files\CCleaner
2011-03-11 06:24 . 2011-03-18 20:05 -------- d-----w- c:\documents and settings\Ben\Application Data\HpUpdate
2011-03-11 06:24 . 2011-03-11 06:24 -------- d-----w- c:\windows\Hewlett-Packard
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-05 19:42 . 2010-11-19 20:31 1409 ----a-w- c:\windows\QTFont.for
2011-03-13 00:05 . 2010-05-25 21:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-13 00:05 . 2009-09-01 16:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-05 20:59 . 2011-03-05 20:59 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-04 08:20 . 2011-03-05 20:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-04 08:20 . 2011-03-05 21:37 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-11 02:30 . 2011-02-11 02:30 40960 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-02-11 02:30 . 2011-02-11 02:30 40960 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2011-01-21 14:44 . 2008-04-14 04:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 04:42 . 2011-01-07 04:42 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-07 04:42 . 2011-01-07 04:42 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-01 68856]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-01-24 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-29 16805888]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-07-09 466944]
"eRecoveryService"="c:\program files\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-08 864576]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-28 77824]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Ben\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ben\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Documents and Settings\\Ben\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mass effect\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest\\Titan Quest.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest\\help.htm"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest immortal throne\\Tqit.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest immortal throne\\help.htm"=
"d:\\Program Files\\Steam\\steamapps\\common\\osmos\\osmos.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\overlord\\Config.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\overlord\\Overlord.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57738:TCP"= 57738:TCP:Pando Media Booster
"57738:UDP"= 57738:UDP:Pando Media Booster
"1116:TCP"= 1116:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [3/7/2008 10:24 PM 176136]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2011 2:59 PM 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2010 9:59 PM 691696]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 10:00 PM 14336]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 2:11 PM 16384]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 3:41 PM 1242504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/25/2008 10:36 PM 45056]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [5/13/2008 1:49 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [6/12/2008 10:30 AM 43608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [5/28/2008 6:54 PM 22072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 5:25 PM 135664]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/25/2008 10:36 PM 131072]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/4/2011 2:20 AM 1405384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/4/2011 2:20 AM 15232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\TpChoice.sys [12/25/2007 11:23 PM 17968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\Ad-Aware Scan (Regular).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-04 08:20]
.
2011-04-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-ACER-A3FE35D430-Ben.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-18 09:44]
.
2011-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-04-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-01 02:36]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6f16350793a6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 23:25]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cb6f1636e2079c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 23:25]
.
2011-04-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://global.acer.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyServer = http=127.0.0.1:53455
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\c67mdut8.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 13:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.1.10 -> Harddisk0\DR0 -> \Device\Scsi\ahcix861
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2DA439]<<
c:\docume~1\Ben\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2e07b8]; MOV EAX, [0x8a2e0834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A2F9728]
3 CLASSPNP[0xBA168FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000aa[0x8A82F750]
5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A82F988]
\Driver\ahcix86[0x8A826030] -> IRP_MJ_CREATE -> 0x8A2DA439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-05 13:50:00
ComboFix-quarantined-files.txt 2011-04-05 19:49
.
Pre-Run: 23,499,153,408 bytes free
Post-Run: 23,584,219,136 bytes free
.
- - End Of File - - C7A821687FDA1B8F736CCEDFD5F9C186
 
Last edited by a moderator:
Sorry for the double post, but I was wondering if I can install avast! now or if I should wait 'till later. Only connected to the internet without it long enough to get the Recovery Console and to post the log. I'm asking this question from a different computer.
 
Hi felix_phillips,


Yes, you can install Avast now. But remember to disable it with each tool we run on the machine, and enabling it when finished.

I removed the code tag from the Combofix log in your post; it's easier for me to read the logs that way :bigthumb:


Please download TDSSKiller from one of the following mirrors and save it in your desktop:

This is THE Mirror

  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.


    TDSSKillerMal-1.png


  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    TDSSKillerSuspicious-1.png


  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    TDSSKillerCompleted.png


  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
 
Hi Blottedisk;

Sorry about the code tags. I'll just paste the logs in normally from here on in.

I neglected to deactivate avast! on the first scan using the TDSSKiller, so I did a second scan with avast! turned off. I'll paste both scan results here.

When I installed avast!, it did some initial scans, and it detected some things. I told it to ignore them for now, lest it screw up your attempts to help me.



First Log (avast! turned on)



2011/04/05 18:38:58.0312 5496 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/05 18:38:58.0578 5496 ================================================================================
2011/04/05 18:38:58.0578 5496 SystemInfo:
2011/04/05 18:38:58.0578 5496
2011/04/05 18:38:58.0578 5496 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/05 18:38:58.0578 5496 Product type: Workstation
2011/04/05 18:38:58.0578 5496 ComputerName: ACER-A3FE35D430
2011/04/05 18:38:58.0578 5496 UserName: Ben
2011/04/05 18:38:58.0578 5496 Windows directory: C:\WINDOWS
2011/04/05 18:38:58.0578 5496 System windows directory: C:\WINDOWS
2011/04/05 18:38:58.0578 5496 Processor architecture: Intel x86
2011/04/05 18:38:58.0578 5496 Number of processors: 2
2011/04/05 18:38:58.0578 5496 Page size: 0x1000
2011/04/05 18:38:58.0578 5496 Boot type: Normal boot
2011/04/05 18:38:58.0578 5496 ================================================================================
2011/04/05 18:38:59.0609 5496 Initialize success
2011/04/05 18:39:08.0671 6136 ================================================================================
2011/04/05 18:39:08.0671 6136 Scan started
2011/04/05 18:39:08.0671 6136 Mode: Manual;
2011/04/05 18:39:08.0671 6136 ================================================================================
2011/04/05 18:39:09.0890 6136 Aavmker4 (83631291adf2887cffc786d034d3fa15) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/04/05 18:39:09.0984 6136 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/04/05 18:39:10.0125 6136 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/05 18:39:10.0187 6136 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/05 18:39:10.0312 6136 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/05 18:39:10.0421 6136 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/05 18:39:10.0531 6136 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/05 18:39:10.0593 6136 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/05 18:39:10.0609 6136 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/04/05 18:39:10.0656 6136 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/04/05 18:39:10.0687 6136 ahcix86 (b6e729a575f84938a08d367e8352eb86) C:\WINDOWS\system32\DRIVERS\ahcix86.sys
2011/04/05 18:39:10.0718 6136 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/05 18:39:10.0765 6136 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/05 18:39:10.0828 6136 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/04/05 18:39:10.0859 6136 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/04/05 18:39:10.0906 6136 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/04/05 18:39:10.0953 6136 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/04/05 18:39:10.0984 6136 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/04/05 18:39:11.0125 6136 ApfiltrService (b90e6ec1c41e3c6cc4f69baa9d74515c) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/04/05 18:39:11.0265 6136 AR5416 (6c21f270afec1e423c00e96d3bd234dc) C:\WINDOWS\system32\DRIVERS\athw.sys
2011/04/05 18:39:11.0421 6136 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/04/05 18:39:11.0500 6136 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/04/05 18:39:11.0625 6136 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/04/05 18:39:11.0750 6136 aswFsBlk (1c2e6bb4fe8621b1b863855b02bc33eb) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/04/05 18:39:11.0875 6136 aswMon2 (452d0ecd14fa02f9b061f42c8a30dd49) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/04/05 18:39:11.0953 6136 aswRdr (b6a9373619d851be80fb5f1b5eed0d4e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/04/05 18:39:12.0093 6136 aswSnx (9be41c1ae8bc481eb662d85c98d979c2) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/04/05 18:39:12.0234 6136 aswSP (4b1a54ba2bc5873a774df6b70ab8b0b3) C:\WINDOWS\system32\drivers\aswSP.sys
2011/04/05 18:39:12.0375 6136 aswTdi (c7f1cea32766184911293f4e1ee653f5) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/04/05 18:39:12.0484 6136 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/05 18:39:12.0609 6136 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/05 18:39:12.0890 6136 ati2mtag (383dcace469ac2ec0603342d4672cadb) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/05 18:39:13.0125 6136 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/05 18:39:13.0203 6136 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/05 18:39:13.0265 6136 b57w2k (559ddda2c88459478056174247706deb) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/05 18:39:13.0328 6136 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/05 18:39:13.0609 6136 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/04/05 18:39:13.0687 6136 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/05 18:39:13.0765 6136 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/05 18:39:13.0812 6136 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/04/05 18:39:13.0875 6136 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/05 18:39:13.0921 6136 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/05 18:39:14.0015 6136 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/05 18:39:14.0265 6136 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/05 18:39:14.0375 6136 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/04/05 18:39:14.0421 6136 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/05 18:39:14.0500 6136 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/04/05 18:39:14.0562 6136 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/04/05 18:39:14.0609 6136 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/04/05 18:39:14.0640 6136 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/04/05 18:39:14.0703 6136 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/05 18:39:14.0953 6136 DKbFltr (060db81dfb79c8244eb65d10b6c7873f) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/04/05 18:39:15.0359 6136 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/05 18:39:15.0640 6136 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/05 18:39:15.0937 6136 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/05 18:39:16.0093 6136 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/05 18:39:16.0203 6136 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/04/05 18:39:16.0406 6136 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/04/05 18:39:16.0625 6136 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/05 18:39:16.0859 6136 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/05 18:39:17.0078 6136 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/05 18:39:17.0187 6136 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/05 18:39:17.0343 6136 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/05 18:39:17.0500 6136 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/05 18:39:17.0640 6136 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/05 18:39:17.0812 6136 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/05 18:39:17.0953 6136 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/05 18:39:18.0125 6136 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/04/05 18:39:18.0312 6136 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/04/05 18:39:18.0453 6136 HdAudAddService (56bf27d7a539f9e6bbc1de201aba0edf) C:\WINDOWS\system32\drivers\AtiHdAud.sys
2011/04/05 18:39:18.0656 6136 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/05 18:39:18.0765 6136 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/05 18:39:19.0000 6136 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/04/05 18:39:19.0359 6136 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/05 18:39:19.0515 6136 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/05 18:39:19.0687 6136 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/05 18:39:19.0890 6136 HSFHWAZL (6a5c4732d6803f84e2987edd8e4359ce) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/04/05 18:39:20.0093 6136 HSF_DPV (21c31273c6cc4826e74be8ae3b09d4a8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/05 18:39:20.0281 6136 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/05 18:39:20.0468 6136 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/05 18:39:20.0671 6136 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/04/05 18:39:20.0859 6136 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/05 18:39:20.0968 6136 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/05 18:39:21.0156 6136 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/04/05 18:39:21.0718 6136 IntcAzAudAddService (004c80b1bdc4dd5303c89482e03153c0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/05 18:39:22.0031 6136 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/05 18:39:22.0328 6136 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/05 18:39:22.0562 6136 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/05 18:39:22.0859 6136 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/05 18:39:23.0109 6136 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/05 18:39:23.0437 6136 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/05 18:39:23.0734 6136 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/05 18:39:23.0906 6136 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/05 18:39:24.0046 6136 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/04/05 18:39:24.0281 6136 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/05 18:39:24.0484 6136 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/05 18:39:24.0734 6136 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/05 18:39:24.0984 6136 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/05 18:39:25.0187 6136 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/04/05 18:39:25.0546 6136 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/04/05 18:39:25.0921 6136 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/05 18:39:26.0109 6136 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/05 18:39:26.0406 6136 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/05 18:39:26.0625 6136 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/05 18:39:26.0765 6136 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/05 18:39:26.0968 6136 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/05 18:39:27.0031 6136 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/04/05 18:39:27.0156 6136 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/05 18:39:27.0250 6136 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/05 18:39:27.0406 6136 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/05 18:39:27.0468 6136 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/05 18:39:27.0531 6136 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/05 18:39:27.0609 6136 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/05 18:39:27.0734 6136 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/05 18:39:27.0828 6136 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/05 18:39:27.0937 6136 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/05 18:39:28.0031 6136 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/05 18:39:28.0171 6136 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/05 18:39:28.0250 6136 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/05 18:39:28.0375 6136 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/05 18:39:28.0437 6136 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/05 18:39:28.0515 6136 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/05 18:39:28.0578 6136 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/05 18:39:28.0640 6136 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/05 18:39:28.0718 6136 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/05 18:39:28.0890 6136 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/05 18:39:29.0000 6136 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/05 18:39:29.0156 6136 NTIDrvr (5535174933a08bb8f1cee26dffb930e4) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2011/04/05 18:39:29.0265 6136 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/05 18:39:29.0359 6136 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/05 18:39:29.0546 6136 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/05 18:39:29.0750 6136 O2MDRDR (f1072a203fb1e246be62d736a5b88dfd) C:\WINDOWS\system32\DRIVERS\o2media.sys
2011/04/05 18:39:29.0843 6136 O2SDRDR (5472c48f44b49f07b16b421899e550f8) C:\WINDOWS\system32\DRIVERS\o2sd.sys
2011/04/05 18:39:30.0140 6136 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/05 18:39:30.0421 6136 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/05 18:39:30.0718 6136 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/05 18:39:31.0015 6136 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/05 18:39:31.0250 6136 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/05 18:39:31.0296 6136 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/05 18:39:31.0531 6136 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/04/05 18:39:31.0562 6136 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/04/05 18:39:31.0687 6136 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/05 18:39:31.0718 6136 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/05 18:39:31.0828 6136 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/05 18:39:31.0937 6136 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/05 18:39:32.0000 6136 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/04/05 18:39:32.0015 6136 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/04/05 18:39:32.0046 6136 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/04/05 18:39:32.0078 6136 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/04/05 18:39:32.0109 6136 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/04/05 18:39:32.0156 6136 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/05 18:39:32.0250 6136 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/05 18:39:32.0296 6136 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/05 18:39:32.0328 6136 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/05 18:39:32.0390 6136 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/05 18:39:32.0421 6136 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/05 18:39:32.0546 6136 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/05 18:39:32.0609 6136 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/05 18:39:32.0734 6136 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/05 18:39:32.0796 6136 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
2011/04/05 18:39:32.0953 6136 RT25USBAP (9c377dbf9d2d19098db935dc1e8361a3) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
2011/04/05 18:39:33.0125 6136 RTHDMIAzAudService (3aec576178bc1554fd95ef6d4729b105) C:\WINDOWS\system32\drivers\RtHDMI.sys
2011/04/05 18:39:33.0375 6136 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/04/05 18:39:33.0468 6136 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/05 18:39:33.0609 6136 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/05 18:39:33.0765 6136 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/05 18:39:33.0937 6136 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/04/05 18:39:34.0062 6136 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/05 18:39:34.0234 6136 SNP2UVC (0302bc619d4a723317e7f8eb0c362bd3) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2011/04/05 18:39:34.0390 6136 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/04/05 18:39:34.0500 6136 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/05 18:39:34.0656 6136 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/04/05 18:39:34.0656 6136 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/04/05 18:39:34.0671 6136 sptd - detected Locked file (1)
2011/04/05 18:39:34.0765 6136 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/05 18:39:34.0843 6136 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/05 18:39:34.0906 6136 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/05 18:39:35.0015 6136 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/05 18:39:35.0078 6136 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/05 18:39:35.0109 6136 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/04/05 18:39:35.0140 6136 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/04/05 18:39:35.0171 6136 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/04/05 18:39:35.0218 6136 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/04/05 18:39:35.0390 6136 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/05 18:39:35.0500 6136 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/05 18:39:35.0609 6136 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/05 18:39:35.0687 6136 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/05 18:39:35.0796 6136 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/05 18:39:35.0890 6136 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/04/05 18:39:35.0921 6136 TpChoice (3afff25eae28188fa4ecd292658be31b) C:\WINDOWS\system32\DRIVERS\TpChoice.sys
2011/04/05 18:39:36.0046 6136 UBHelper (5e3966a0d9b57531264fc0c835021fa1) C:\WINDOWS\system32\drivers\UBHelper.sys
2011/04/05 18:39:36.0125 6136 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/05 18:39:36.0234 6136 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/04/05 18:39:36.0328 6136 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/05 18:39:36.0484 6136 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/05 18:39:36.0515 6136 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/05 18:39:36.0546 6136 usbfilter (edca5124b54bcf04e5c0538aa397a9c1) C:\WINDOWS\system32\DRIVERS\usbfilter.sys
2011/04/05 18:39:36.0593 6136 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/05 18:39:36.0750 6136 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/05 18:39:36.0843 6136 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/05 18:39:36.0968 6136 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/05 18:39:37.0062 6136 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/05 18:39:37.0187 6136 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/05 18:39:37.0265 6136 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/05 18:39:37.0375 6136 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/04/05 18:39:37.0453 6136 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/04/05 18:39:37.0515 6136 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/05 18:39:37.0640 6136 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/04/05 18:39:37.0734 6136 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/04/05 18:39:37.0843 6136 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/05 18:39:37.0953 6136 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/04/05 18:39:38.0140 6136 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/05 18:39:38.0296 6136 winachsf (307d248f97835b6879bdd361086924fe) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/05 18:39:38.0578 6136 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/05 18:39:38.0828 6136 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/05 18:39:38.0984 6136 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/05 18:39:39.0078 6136 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/05 18:39:39.0234 6136 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/05 18:39:39.0312 6136 ================================================================================
2011/04/05 18:39:39.0312 6136 Scan finished
2011/04/05 18:39:39.0312 6136 ================================================================================
2011/04/05 18:39:39.0343 6128 Detected object count: 2
2011/04/05 18:40:10.0046 6128 Locked file(sptd) - User select action: Skip
2011/04/05 18:40:10.0140 6128 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/05 18:40:10.0140 6128 \HardDisk0 - ok
2011/04/05 18:40:10.0140 6128 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/05 18:40:26.0390 5432 Deinitialize success



Second Log (avast! turned off)



2011/04/05 18:48:33.0312 5932 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/05 18:48:33.0359 5932 ================================================================================
2011/04/05 18:48:33.0359 5932 SystemInfo:
2011/04/05 18:48:33.0359 5932
2011/04/05 18:48:33.0359 5932 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/05 18:48:33.0359 5932 Product type: Workstation
2011/04/05 18:48:33.0359 5932 ComputerName: ACER-A3FE35D430
2011/04/05 18:48:33.0359 5932 UserName: Ben
2011/04/05 18:48:33.0359 5932 Windows directory: C:\WINDOWS
2011/04/05 18:48:33.0359 5932 System windows directory: C:\WINDOWS
2011/04/05 18:48:33.0359 5932 Processor architecture: Intel x86
2011/04/05 18:48:33.0359 5932 Number of processors: 2
2011/04/05 18:48:33.0359 5932 Page size: 0x1000
2011/04/05 18:48:33.0359 5932 Boot type: Normal boot
2011/04/05 18:48:33.0359 5932 ================================================================================
2011/04/05 18:48:34.0359 5932 Initialize success
2011/04/05 18:48:35.0984 6140 ================================================================================
2011/04/05 18:48:35.0984 6140 Scan started
2011/04/05 18:48:35.0984 6140 Mode: Manual;
2011/04/05 18:48:35.0984 6140 ================================================================================
2011/04/05 18:48:36.0937 6140 Aavmker4 (83631291adf2887cffc786d034d3fa15) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/04/05 18:48:37.0109 6140 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/04/05 18:48:37.0187 6140 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/05 18:48:37.0296 6140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/05 18:48:37.0375 6140 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/05 18:48:37.0484 6140 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/05 18:48:37.0546 6140 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/05 18:48:37.0609 6140 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/05 18:48:37.0718 6140 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/04/05 18:48:37.0781 6140 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/04/05 18:48:37.0906 6140 ahcix86 (b6e729a575f84938a08d367e8352eb86) C:\WINDOWS\system32\DRIVERS\ahcix86.sys
2011/04/05 18:48:37.0984 6140 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/05 18:48:38.0109 6140 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/05 18:48:38.0203 6140 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/04/05 18:48:38.0312 6140 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/04/05 18:48:38.0375 6140 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/04/05 18:48:38.0484 6140 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/04/05 18:48:38.0546 6140 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/04/05 18:48:38.0609 6140 ApfiltrService (b90e6ec1c41e3c6cc4f69baa9d74515c) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/04/05 18:48:38.0765 6140 AR5416 (6c21f270afec1e423c00e96d3bd234dc) C:\WINDOWS\system32\DRIVERS\athw.sys
2011/04/05 18:48:38.0937 6140 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/04/05 18:48:38.0984 6140 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/04/05 18:48:39.0125 6140 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/04/05 18:48:39.0281 6140 aswFsBlk (1c2e6bb4fe8621b1b863855b02bc33eb) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/04/05 18:48:39.0390 6140 aswMon2 (452d0ecd14fa02f9b061f42c8a30dd49) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/04/05 18:48:39.0484 6140 aswRdr (b6a9373619d851be80fb5f1b5eed0d4e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/04/05 18:48:39.0578 6140 aswSnx (9be41c1ae8bc481eb662d85c98d979c2) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/04/05 18:48:39.0671 6140 aswSP (4b1a54ba2bc5873a774df6b70ab8b0b3) C:\WINDOWS\system32\drivers\aswSP.sys
2011/04/05 18:48:39.0750 6140 aswTdi (c7f1cea32766184911293f4e1ee653f5) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/04/05 18:48:39.0843 6140 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/05 18:48:39.0953 6140 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/05 18:48:40.0203 6140 ati2mtag (383dcace469ac2ec0603342d4672cadb) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/05 18:48:40.0375 6140 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/05 18:48:40.0546 6140 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/05 18:48:40.0843 6140 b57w2k (559ddda2c88459478056174247706deb) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/05 18:48:40.0906 6140 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/05 18:48:41.0187 6140 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/04/05 18:48:41.0265 6140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/05 18:48:41.0390 6140 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/05 18:48:41.0484 6140 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/04/05 18:48:41.0562 6140 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/05 18:48:41.0593 6140 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/05 18:48:41.0640 6140 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/05 18:48:41.0859 6140 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/05 18:48:41.0921 6140 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/04/05 18:48:42.0046 6140 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/05 18:48:42.0140 6140 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/04/05 18:48:42.0281 6140 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/04/05 18:48:42.0375 6140 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/04/05 18:48:42.0484 6140 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/04/05 18:48:42.0578 6140 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/05 18:48:42.0718 6140 DKbFltr (060db81dfb79c8244eb65d10b6c7873f) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/04/05 18:48:42.0828 6140 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/05 18:48:42.0984 6140 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/05 18:48:43.0062 6140 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/05 18:48:43.0187 6140 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/05 18:48:43.0281 6140 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/04/05 18:48:43.0421 6140 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/04/05 18:48:43.0515 6140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/05 18:48:43.0640 6140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/05 18:48:43.0750 6140 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/05 18:48:43.0859 6140 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/05 18:48:43.0937 6140 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/05 18:48:44.0046 6140 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/05 18:48:44.0140 6140 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/05 18:48:44.0250 6140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/05 18:48:44.0328 6140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/05 18:48:44.0437 6140 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/04/05 18:48:44.0546 6140 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/04/05 18:48:44.0671 6140 HdAudAddService (56bf27d7a539f9e6bbc1de201aba0edf) C:\WINDOWS\system32\drivers\AtiHdAud.sys
2011/04/05 18:48:44.0765 6140 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/05 18:48:44.0890 6140 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/05 18:48:44.0953 6140 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/04/05 18:48:45.0031 6140 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/05 18:48:45.0078 6140 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/05 18:48:45.0187 6140 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/05 18:48:45.0265 6140 HSFHWAZL (6a5c4732d6803f84e2987edd8e4359ce) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/04/05 18:48:45.0406 6140 HSF_DPV (21c31273c6cc4826e74be8ae3b09d4a8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/05 18:48:45.0546 6140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/05 18:48:45.0609 6140 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/05 18:48:45.0656 6140 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/04/05 18:48:45.0718 6140 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/05 18:48:45.0828 6140 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/05 18:48:45.0890 6140 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/04/05 18:48:46.0093 6140 IntcAzAudAddService (004c80b1bdc4dd5303c89482e03153c0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/05 18:48:46.0250 6140 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/05 18:48:46.0296 6140 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/05 18:48:46.0328 6140 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/05 18:48:46.0359 6140 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/05 18:48:46.0406 6140 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/05 18:48:46.0453 6140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/05 18:48:46.0484 6140 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/05 18:48:46.0531 6140 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/05 18:48:46.0593 6140 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/04/05 18:48:46.0718 6140 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/05 18:48:46.0781 6140 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/05 18:48:46.0843 6140 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/05 18:48:46.0906 6140 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/05 18:48:47.0000 6140 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/04/05 18:48:47.0140 6140 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/04/05 18:48:47.0375 6140 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/05 18:48:47.0468 6140 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/05 18:48:47.0593 6140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/05 18:48:47.0687 6140 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/05 18:48:47.0796 6140 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/05 18:48:48.0031 6140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/05 18:48:48.0234 6140 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/04/05 18:48:48.0328 6140 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/05 18:48:48.0484 6140 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/05 18:48:48.0656 6140 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/05 18:48:48.0750 6140 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/05 18:48:48.0843 6140 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/05 18:48:48.0906 6140 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/05 18:48:48.0953 6140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/05 18:48:49.0015 6140 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/05 18:48:49.0125 6140 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/05 18:48:49.0218 6140 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/05 18:48:49.0359 6140 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/05 18:48:49.0453 6140 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/05 18:48:49.0578 6140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/05 18:48:49.0640 6140 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/05 18:48:49.0671 6140 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/05 18:48:49.0734 6140 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/05 18:48:49.0859 6140 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/05 18:48:49.0937 6140 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/05 18:48:50.0109 6140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/05 18:48:50.0171 6140 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/05 18:48:50.0359 6140 NTIDrvr (5535174933a08bb8f1cee26dffb930e4) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2011/04/05 18:48:50.0468 6140 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/05 18:48:50.0531 6140 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/05 18:48:50.0562 6140 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/05 18:48:50.0671 6140 O2MDRDR (f1072a203fb1e246be62d736a5b88dfd) C:\WINDOWS\system32\DRIVERS\o2media.sys
2011/04/05 18:48:50.0734 6140 O2SDRDR (5472c48f44b49f07b16b421899e550f8) C:\WINDOWS\system32\DRIVERS\o2sd.sys
2011/04/05 18:48:50.0781 6140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/05 18:48:50.0828 6140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/05 18:48:50.0859 6140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/05 18:48:50.0953 6140 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/05 18:48:51.0046 6140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/05 18:48:51.0078 6140 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/05 18:48:51.0250 6140 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/04/05 18:48:51.0296 6140 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/04/05 18:48:51.0421 6140 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/05 18:48:51.0468 6140 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/05 18:48:51.0515 6140 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/05 18:48:51.0562 6140 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/05 18:48:51.0593 6140 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/04/05 18:48:51.0640 6140 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/04/05 18:48:51.0671 6140 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/04/05 18:48:51.0703 6140 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/04/05 18:48:51.0750 6140 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/04/05 18:48:51.0796 6140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/05 18:48:51.0890 6140 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/05 18:48:51.0937 6140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/05 18:48:51.0984 6140 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/05 18:48:52.0046 6140 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/05 18:48:52.0093 6140 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/05 18:48:52.0187 6140 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/05 18:48:52.0265 6140 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/05 18:48:52.0328 6140 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/05 18:48:52.0390 6140 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
2011/04/05 18:48:52.0531 6140 RT25USBAP (9c377dbf9d2d19098db935dc1e8361a3) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
2011/04/05 18:48:52.0703 6140 RTHDMIAzAudService (3aec576178bc1554fd95ef6d4729b105) C:\WINDOWS\system32\drivers\RtHDMI.sys
2011/04/05 18:48:52.0968 6140 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/04/05 18:48:53.0000 6140 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/05 18:48:53.0062 6140 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/05 18:48:53.0250 6140 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/05 18:48:53.0343 6140 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/04/05 18:48:53.0390 6140 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/05 18:48:53.0625 6140 SNP2UVC (0302bc619d4a723317e7f8eb0c362bd3) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2011/04/05 18:48:53.0781 6140 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/04/05 18:48:53.0843 6140 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/05 18:48:53.0937 6140 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/04/05 18:48:53.0937 6140 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/04/05 18:48:53.0953 6140 sptd - detected Locked file (1)
2011/04/05 18:48:54.0062 6140 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/05 18:48:54.0140 6140 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/05 18:48:54.0234 6140 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/05 18:48:54.0343 6140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/05 18:48:54.0468 6140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/05 18:48:54.0562 6140 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/04/05 18:48:54.0609 6140 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/04/05 18:48:54.0656 6140 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/04/05 18:48:54.0687 6140 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/04/05 18:48:54.0734 6140 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/05 18:48:54.0875 6140 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/05 18:48:55.0015 6140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/05 18:48:55.0078 6140 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/05 18:48:55.0218 6140 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/05 18:48:55.0328 6140 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/04/05 18:48:55.0453 6140 TpChoice (3afff25eae28188fa4ecd292658be31b) C:\WINDOWS\system32\DRIVERS\TpChoice.sys
2011/04/05 18:48:55.0546 6140 UBHelper (5e3966a0d9b57531264fc0c835021fa1) C:\WINDOWS\system32\drivers\UBHelper.sys
2011/04/05 18:48:55.0656 6140 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/05 18:48:55.0734 6140 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/04/05 18:48:55.0859 6140 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/05 18:48:56.0031 6140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/05 18:48:56.0125 6140 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/05 18:48:56.0203 6140 usbfilter (edca5124b54bcf04e5c0538aa397a9c1) C:\WINDOWS\system32\DRIVERS\usbfilter.sys
2011/04/05 18:48:56.0265 6140 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/05 18:48:56.0296 6140 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/05 18:48:56.0359 6140 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/05 18:48:56.0390 6140 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/05 18:48:56.0500 6140 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/05 18:48:56.0578 6140 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/05 18:48:56.0640 6140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/05 18:48:56.0718 6140 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/04/05 18:48:56.0765 6140 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/04/05 18:48:56.0812 6140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/05 18:48:56.0937 6140 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/04/05 18:48:56.0984 6140 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/04/05 18:48:57.0015 6140 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/05 18:48:57.0140 6140 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/04/05 18:48:57.0296 6140 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/05 18:48:57.0375 6140 winachsf (307d248f97835b6879bdd361086924fe) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/05 18:48:57.0609 6140 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/05 18:48:57.0718 6140 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/05 18:48:57.0781 6140 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/05 18:48:57.0921 6140 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/05 18:48:58.0375 6140 ================================================================================
2011/04/05 18:48:58.0375 6140 Scan finished
2011/04/05 18:48:58.0375 6140 ================================================================================
2011/04/05 18:48:58.0421 5064 Detected object count: 1
2011/04/05 18:49:02.0265 5064 Locked file(sptd) - User select action: Skip
 
Hi felix_phillips :)


TDSSKiller got rid of it. Can you please run Combofix again and post the contents of the log?
 
Hi Blottedisk;

Great to hear!

Here's the combofix log:


ComboFix 11-04-04.01 - Ben 04/05/2011 19:36:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.909 [GMT -6:00]
Running from: c:\documents and settings\Ben\Desktop\Forum Help\ComboFix.exe
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))
.
.
2011-04-06 00:45 . 2011-04-06 00:45 -------- d-----w- c:\windows\LastGood
2011-04-06 00:21 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-06 00:21 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-06 00:21 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-06 00:21 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-06 00:21 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-06 00:21 . 2011-02-23 13:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-06 00:21 . 2011-02-23 13:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-06 00:21 . 2011-02-23 13:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-06 00:21 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-06 00:21 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-06 00:20 . 2011-04-06 00:20 -------- d-----w- c:\program files\AVAST Software
2011-04-06 00:20 . 2011-04-06 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-03 05:58 . 2011-04-03 05:58 -------- d-----w- c:\program files\ERUNT
2011-03-30 19:03 . 2011-03-30 19:03 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-03-26 19:09 . 2011-03-26 19:09 -------- d-----w- C:\317bb37b7087d03d9fb4
2011-03-26 19:08 . 2011-03-26 19:08 -------- d-----w- C:\c412b583335e06bfc5d36f7ea4
2011-03-14 04:29 . 2011-03-14 04:29 -------- d-----w- C:\9f4842b56dc6715b1987c669f9712195
2011-03-14 04:28 . 2011-03-14 04:28 -------- d-----w- C:\dda3748e091980e003ec6d2272b9
2011-03-12 04:59 . 2011-03-12 04:59 -------- d-----w- c:\program files\CCleaner
2011-03-11 06:24 . 2011-03-18 20:05 -------- d-----w- c:\documents and settings\Ben\Application Data\HpUpdate
2011-03-11 06:24 . 2011-03-11 06:24 -------- d-----w- c:\windows\Hewlett-Packard
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 00:21 . 2010-11-19 20:31 1409 ----a-w- c:\windows\QTFont.for
2011-03-13 00:05 . 2010-05-25 21:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-13 00:05 . 2009-09-01 16:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-05 20:59 . 2011-03-05 20:59 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-04 08:20 . 2011-03-05 20:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-04 08:20 . 2011-03-05 21:37 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-11 02:30 . 2011-02-11 02:30 40960 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-02-11 02:30 . 2011-02-11 02:30 40960 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2011-01-21 14:44 . 2008-04-14 04:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 04:42 . 2011-01-07 04:42 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-07 04:42 . 2011-01-07 04:42 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-05_19.42.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 06:02 . 2009-07-12 06:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
- 2010-04-25 22:53 . 2010-04-25 22:53 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2011-04-06 00:42 . 2011-04-06 00:42 16384 c:\windows\Temp\Perflib_Perfdata_a58.dat
+ 2011-04-06 00:42 . 2011-04-06 00:42 16384 c:\windows\Temp\Perflib_Perfdata_5d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-01 68856]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-01-24 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-29 16805888]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-07-09 466944]
"eRecoveryService"="c:\program files\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-08 864576]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-28 77824]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Ben\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ben\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Documents and Settings\\Ben\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mass effect\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest\\Titan Quest.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest\\help.htm"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest immortal throne\\Tqit.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest immortal throne\\help.htm"=
"d:\\Program Files\\Steam\\steamapps\\common\\osmos\\osmos.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\overlord\\Config.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\overlord\\Overlord.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57738:TCP"= 57738:TCP:Pando Media Booster
"57738:UDP"= 57738:UDP:Pando Media Booster
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [3/7/2008 10:24 PM 176136]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2011 2:59 PM 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2010 9:59 PM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/5/2011 6:21 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/5/2011 6:21 PM 301528]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 10:00 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/5/2011 6:21 PM 19544]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 2:11 PM 16384]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 3:41 PM 1242504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/25/2008 10:36 PM 45056]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [5/13/2008 1:49 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [6/12/2008 10:30 AM 43608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [5/28/2008 6:54 PM 22072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 5:25 PM 135664]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/25/2008 10:36 PM 131072]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/4/2011 2:20 AM 1405384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/4/2011 2:20 AM 15232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\TpChoice.sys [12/25/2007 11:23 PM 17968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWSNX
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\Ad-Aware Scan (Regular).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-04 08:20]
.
2011-04-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-ACER-A3FE35D430-Ben.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-18 09:44]
.
2011-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-04-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-01 02:36]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6f16350793a6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 23:25]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cb6f1636e2079c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 23:25]
.
2011-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://global.acer.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyServer = http=127.0.0.1:53455
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\c67mdut8.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 19:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(17360)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\program files\Acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-05 20:07:00
ComboFix-quarantined-files.txt 2011-04-06 02:06
ComboFix2.txt 2011-04-05 19:50
.
Pre-Run: 23,833,792,512 bytes free
Post-Run: 23,806,582,784 bytes free
.
- - End Of File - - 2CFDF0818B68C1E2F781F96ED44192CF
 
Hi felix_phillips,


How's the machine running now?

Please do the following:


ComboFix - CFScript

WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:

Code: 
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:53455
uInternet Settings,ProxyOverride = <local>
  1. Save it to your desktop as CFScript.txt
  2. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  3. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

    ComboFixScriptDrag.gif


    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  4. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **
 
Hi Blottedisk;

Machine's running fine. No more re-directs, no problems with start-up, Windows XP theme hasn't reverted to Classic, Minecraft works normally again. There's something about 'choose an operating system' for a second or two at start-up, but this seems to have to do with the Windows Recovery Console. I haven't checked if the click.giftload still shows up in a Spybot S&D scan yet, though.

Question though: the log says I have an AVG firewall. I uninstalled AVG. What's up with that? Also, does avast! work as a firewall too, or do I need a different one?

Here's the log:


ComboFix 11-04-04.01 - Ben 04/08/2011 17:39:37.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1121 [GMT -6:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
.
.
2011-04-08 23:23 . 2011-03-23 16:11 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{07C94D25-B1E9-423A-A699-148C2A81A280}\mpengine.dll
2011-04-06 04:59 . 2011-04-06 04:59 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-04-06 00:21 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-06 00:21 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-06 00:21 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-06 00:21 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-06 00:21 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-06 00:21 . 2011-02-23 13:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-06 00:21 . 2011-02-23 13:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-06 00:21 . 2011-02-23 13:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-06 00:21 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-06 00:21 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-06 00:20 . 2011-04-06 00:20 -------- d-----w- c:\program files\AVAST Software
2011-04-06 00:20 . 2011-04-06 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-03 05:58 . 2011-04-03 05:58 -------- d-----w- c:\program files\ERUNT
2011-03-30 19:03 . 2011-03-30 19:03 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-03-26 19:09 . 2011-03-26 19:09 -------- d-----w- C:\317bb37b7087d03d9fb4
2011-03-26 19:08 . 2011-03-26 19:08 -------- d-----w- C:\c412b583335e06bfc5d36f7ea4
2011-03-14 04:29 . 2011-03-14 04:29 -------- d-----w- C:\9f4842b56dc6715b1987c669f9712195
2011-03-14 04:28 . 2011-03-14 04:28 -------- d-----w- C:\dda3748e091980e003ec6d2272b9
2011-03-12 04:59 . 2011-03-12 04:59 -------- d-----w- c:\program files\CCleaner
2011-03-11 06:24 . 2011-03-18 20:05 -------- d-----w- c:\documents and settings\Ben\Application Data\HpUpdate
2011-03-11 06:24 . 2011-03-11 06:24 -------- d-----w- c:\windows\Hewlett-Packard
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 00:21 . 2010-11-19 20:31 1409 ----a-w- c:\windows\QTFont.for
2011-03-23 16:11 . 2009-10-17 14:04 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-13 00:05 . 2010-05-25 21:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-13 00:05 . 2009-09-01 16:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-05 20:59 . 2011-03-05 20:59 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-04 08:20 . 2011-03-05 20:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-04 08:20 . 2011-03-05 21:37 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-11 02:30 . 2011-02-11 02:30 40960 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-02-11 02:30 . 2011-02-11 02:30 40960 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2011-02-09 13:53 . 2008-04-14 04:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 04:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 00:11 . 2009-10-17 14:04 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2008-04-14 04:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-14 04:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 04:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-05_19.42.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 06:02 . 2009-07-12 06:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
- 2010-04-25 22:53 . 2010-04-25 22:53 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2011-04-08 23:21 . 2011-04-08 23:21 16384 c:\windows\Temp\Perflib_Perfdata_738.dat
+ 2011-04-08 23:21 . 2011-04-08 23:21 16384 c:\windows\Temp\Perflib_Perfdata_534.dat
- 2010-06-05 04:39 . 2010-12-17 08:58 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-06-05 04:39 . 2011-04-06 05:00 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2008-04-14 04:00 . 2008-04-14 04:00 135168 c:\windows\system32\shsvcs.dll
+ 2008-04-14 04:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
+ 2008-04-14 04:00 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
- 2008-04-14 04:00 . 2008-04-14 04:00 135168 c:\windows\system32\dllcache\shsvcs.dll
- 2008-04-14 04:00 . 2008-04-14 04:00 270848 c:\windows\system32\dllcache\sbe.dll
+ 2008-04-14 04:00 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll
- 2008-04-14 04:00 . 2008-04-14 04:00 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2008-04-14 04:00 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
- 2008-04-14 04:00 . 2008-04-14 04:00 186880 c:\windows\system32\dllcache\encdec.dll
+ 2008-04-14 04:00 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
+ 2011-04-08 06:58 . 2011-04-08 06:58 817152 c:\windows\Installer\162346a.msi
+ 2008-04-14 04:00 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
+ 2009-09-01 14:56 . 2011-04-07 00:34 37943240 c:\windows\system32\MRT.exe
+ 2011-04-06 04:58 . 2011-04-06 04:58 20308992 c:\windows\Installer\e5251d.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 14:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-01 68856]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-01-24 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-29 16805888]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-07-09 466944]
"eRecoveryService"="c:\program files\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-08 864576]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-28 77824]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Ben\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ben\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Documents and Settings\\Ben\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mass effect\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest\\Titan Quest.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest\\help.htm"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest immortal throne\\Tqit.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\titan quest immortal throne\\help.htm"=
"d:\\Program Files\\Steam\\steamapps\\common\\osmos\\osmos.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\overlord\\Config.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\overlord\\Overlord.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57738:TCP"= 57738:TCP:Pando Media Booster
"57738:UDP"= 57738:UDP:Pando Media Booster
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [3/7/2008 10:24 PM 176136]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2011 2:59 PM 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2010 9:59 PM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/5/2011 6:21 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/5/2011 6:21 PM 301528]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 10:00 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/5/2011 6:21 PM 19544]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 2:11 PM 16384]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 3:41 PM 1242504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/25/2008 10:36 PM 45056]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [5/13/2008 1:49 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [6/12/2008 10:30 AM 43608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [5/28/2008 6:54 PM 22072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 5:25 PM 135664]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/25/2008 10:36 PM 131072]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/4/2011 2:20 AM 1753048]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/4/2011 2:20 AM 15232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\TpChoice.sys [12/25/2007 11:23 PM 17968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-08 c:\windows\Tasks\Ad-Aware Scan (Regular).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-04 07:58]
.
2011-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-04 07:58]
.
2011-04-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-ACER-A3FE35D430-Ben.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-18 09:44]
.
2011-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-04-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-01 02:36]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6f16350793a6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 23:25]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cb6f1636e2079c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 23:25]
.
2011-04-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://global.acer.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\c67mdut8.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-08 18:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(10336)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\documents and settings\Ben\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\program files\Acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-08 18:10:17
ComboFix-quarantined-files.txt 2011-04-09 00:10
ComboFix2.txt 2011-04-06 02:07
ComboFix3.txt 2011-04-05 19:50
.
Pre-Run: 23,366,070,272 bytes free
Post-Run: 23,353,348,096 bytes free
.
- - End Of File - - 43CCE651E7B8C685F51825C53F99C17D
 
Status
Not open for further replies.
Back
Top