Infected (sirefef.ch and mby not only that)

marko1234 · Jan 26, 2012

everything is working just fine... thanks a lot for your time and effort. This is my sisters laptop and she's quite a newbee about technical things. Ill try to explain too her what to avoid and not to use uTorrent. Im studying electronics so i know i thing or two about PCs etc. my desktop PC is clean as a whistle

Again thanks a lot. Hope I don't need to bother you again. Take care my friend!

Adios

oldman960 · Jan 26, 2012

Hi marko1234,

You are more than welcome.

Take care, keep safe.

marko1234 · Jan 29, 2012

hey oldman960

sorry to bother you again. my sister told me that she got a problem with laptop that used to happen to me while we were fixing it. sometimes when she turns it on, it boots up, icons show up but its frozen and when u hover over taskbar sand watch appears and it just stays like that till you shut it down (by force). after a few tries it boots up fine and works great (like it did 3 times i shut it down and turned back on). I assumed everything is okay and that everything is fixed. I guess my question is: Do you think that its still infected and can we try some other tests/scans to be sure?

Thanks

oldman960 · Jan 30, 2012

Hi marko1234,

With malware it's possible we missed something.

Let's have a look.

Download OTL to your desktop.

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, check scan all users
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
atapi.*
mrxsmb.*
/md5stop
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Next

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

If asked to download the Avast definition database please do so.

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Please post back with

both OTL logs
aswMBR log
mbr.zip (attached)

marko1234 · Jan 30, 2012

Hi oldman960

the otl.txt log was too long for the post so I have attached it along with mbr.dat file

extras.txt

OTL Extras logfile created on: 30.1.2012 21:45:54 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Tea\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000041A | Country: Croatia | Language: HRV | Date Format: d.M.yyyy

895,23 Mb Total Physical Memory | 376,61 Mb Available Physical Memory | 42,07% Memory free
2,12 Gb Paging File | 1,64 Gb Available in Paging File | 77,62% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 101,44 Gb Total Space | 33,68 Gb Free Space | 33,20% Space Free | Partition Type: NTFS
Drive D: | 8,79 Gb Total Space | 0,64 Gb Free Space | 7,23% Space Free | Partition Type: NTFS

Computer Name: TEA-LAPTOP | User Name: Tea | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1085031214-413027322-1801674531-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled

xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Tea\Desktop\COD\Call of Duty 1.5 + United Offensive\Call of Duty\CoDUOMP.exe" = C:\Documents and Settings\Tea\Desktop\COD\Call of Duty 1.5 + United Offensive\Call of Duty\CoDUOMP.exe:*:Enabled:CoDUOMP -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{11A7769F-6706-3191-9A9A-6B4AB0F56419}" = Catalyst Control Center Localization Norwegian
"{169F0A86-B4E2-E0D0-9623-4982A9C48C93}" = CCC Help Chinese Traditional
"{177775EF-DF8B-D947-0B51-D14ED1F836C5}" = Catalyst Control Center Localization Czech
"{183C2621-49ED-C3F3-6FFF-4807079E1AC0}" = CCC Help Thai
"{189DC77B-7B5B-0547-276B-C026EF0C757C}" = ccc-core-preinstall
"{1D8135C3-46FA-77E4-E645-405BD62DDAB9}" = Catalyst Control Center Localization Turkish
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{209DC8F3-20D6-56D1-3EDA-04792A59589D}" = CCC Help Greek
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 30
"{2A0AF7BE-CB9C-D902-676E-B3DAEECB6B2D}" = Catalyst Control Center Localization Korean
"{2B9A8E7E-CDE6-D723-3521-B6D4784FFBEA}" = Catalyst Control Center Localization Japanese
"{2D0A84FC-2178-131A-7563-705200BDFF20}" = CCC Help Polish
"{2EE6086A-2926-66A7-2B60-42FB259D95B7}" = Catalyst Control Center Localization Russian
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{33B75044-54B4-5AB4-7A19-7B9D77BF2285}" = Catalyst Control Center Localization Greek
"{33E58EE4-0E59-0017-78D0-D56FD3594770}" = CCC Help Korean
"{342BE86B-31F5-6E7E-A1CB-87BA5272BC2C}" = Catalyst Control Center Localization Hungarian
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes
"{36807E1C-C7F5-CCF7-3617-F41837DECAF7}" = CCC Help Danish
"{3A8B8170-7321-E5FC-0047-74F9F5D21B25}" = Catalyst Control Center Localization Thai
"{3F93B2BA-18EC-462B-9ACD-396599353EE1}" = Catalyst Control Center - Branding
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D1E0AA2-3B34-6940-3663-0E255EFBBF63}" = CCC Help Portuguese
"{517459C1-A2C2-7641-AA71-4E7E98B5E8A9}" = CCC Help Spanish
"{53B35D1A-B93A-C389-409B-EEBC68D82861}" = Catalyst Control Center Core Implementation
"{540EA3CE-1229-5702-929D-A67E6331AC39}" = CCC Help Norwegian
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5A721E61-FBDE-9422-3C64-17D918C7196B}" = Catalyst Control Center Localization German
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F74F1E5-C4DF-7A18-3C11-A47382FFA660}" = CCC Help Swedish
"{611CB353-FEC0-1245-1859-B169344D1454}" = CCC Help Japanese
"{751CCF7A-CFF6-4A4B-9119-D4448D87B025}" = ESET Smart Security
"{77F38DEB-140F-0B24-52C4-6B385127CB1F}" = Catalyst Control Center Localization Finnish
"{79AAA8E0-B47C-EDAB-826E-C498AA4857CE}" = CCC Help Finnish
"{82EF29B1-9B60-4142-A155-0599216DD053}" = LightScribe System Software
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = HP Integrated Module with Bluetooth wireless technology
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{89B65CDA-DC1B-C5B3-73DF-3CFF4A19A588}" = CCC Help German
"{8C74846F-56C1-7CA1-14BF-B7A87F7A0CA7}" = Catalyst Control Center Localization Dutch
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{CEA4C7D0-ABBE-4074-A488-173BB382CDFF}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{907E8FCC-ACB6-8F7D-9930-8C95F1DC7D87}" = ccc-utility
"{90A2E630-72EA-3309-6B02-9307C795345C}" = CCC Help Russian
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{A00E6A54-A3B5-7FCD-5DBA-4BFAB5B2DBD7}" = Catalyst Control Center Localization Italian
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A21A1F07-8EE5-1DC3-74E5-73AF089B5722}" = Catalyst Control Center Localization Polish
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A843E814-9178-6F3F-E821-9094D33128F5}" = Catalyst Control Center Graphics Full New
"{A893EF27-F743-D48F-3971-ABD33A2A0902}" = CCC Help French
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA0CBF76-BD8E-48C0-AE32-31684A629836}" = HP Broadband Wireless Modules
"{AA3D13A1-2373-6638-8398-FBDA07FAC464}" = CCC Help Turkish
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AF0EC284-33B6-9100-E851-B64FDC070429}" = Catalyst Control Center Localization French
"{B1463859-54D3-03C0-2D87-04D15A4B5D06}" = Catalyst Control Center Localization Chinese Traditional
"{B15AC518-1C5D-D41F-37CA-768851B11FAB}" = Catalyst Control Center Localization Swedish
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BC1584FD-B945-E401-7C34-929964DE9E24}" = CCC Help Chinese Standard
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C443C2F5-CBEC-1299-3A60-6C3C9965EF5A}" = CCC Help Czech
"{C594294F-E38B-FB39-4C3B-E97EFCE3AC0D}" = Catalyst Control Center Localization Danish
"{C97636B2-42D2-C8C0-CDD8-4A323CF6BC5C}" = CCC Help Italian
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CDA1ADA3-BBB4-4250-B272-AC21C78C3968}" = HP PCMCIA Smart Card Reader
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF0F7BFE-61D8-E7B8-6F99-F5E149B89051}" = Catalyst Control Center Localization Portuguese
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom NetXtreme Ethernet Controller
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D7BE4FF6-24E1-3E12-D6D0-C76F26F31327}" = Catalyst Control Center Graphics Light
"{DFDE44B2-4E88-9B2D-75B6-945635C665DF}" = Catalyst Control Center Localization Spanish
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E634B696-8333-8216-6415-86272864894F}" = ccc-core-static
"{E78A17B7-B3E7-045B-820D-5DCE2541DEBC}" = CCC Help English
"{E978DAC8-F978-B81D-0BA1-9A566A79A7A6}" = CCC Help Hungarian
"{E9A82610-AD0E-F189-1F41-95996BC15794}" = Catalyst Control Center Graphics Full Existing
"{EB36FA85-8004-D358-601C-542FE3A2A77C}" = CCC Help Dutch
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6F6B40D-6477-87E2-3899-AF53366D84D2}" = Catalyst Control Center Localization Chinese Standard
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"BSPlayerp" = BS.Player PRO
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"Google Chrome" = Google Chrome
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 9.0.1 (x86 hr)" = Mozilla Firefox 9.0.1 (x86 hr)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PKR" = PKR
"Sweet Home 3D_is1" = Sweet Home 3D version 3.2
"Uninstall Tool_is1" = Uninstall Tool
"uTorrent" = µTorrent
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR arhiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1085031214-413027322-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20.8.2011 4:21:22 | Computer Name = TEA-LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application jaucheck.exe, version 2.0.2.4, faulting module
jaucheck.exe, version 2.0.2.4, fault address 0x000039b0.

Error - 27.8.2011 17:04:20 | Computer Name = TEA-LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application jaucheck.exe, version 2.0.2.4, faulting module
jaucheck.exe, version 2.0.2.4, fault address 0x000039b0.

Error - 28.8.2011 15:04:33 | Computer Name = TEA-LAPTOP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 28.8.2011 15:04:33 | Computer Name = TEA-LAPTOP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 28.8.2011 15:04:33 | Computer Name = TEA-LAPTOP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 29.8.2011 13:13:30 | Computer Name = TEA-LAPTOP | Source = MsiInstaller | ID = 1013
Description = Product: Adobe Reader 9.1 -- Setup has detected that you already have
a more functional product installed. Setup will now terminate.

[ System Events ]
Error - 25.1.2012 19:03:27 | Computer Name = TEA-LAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK8 ehdrv Fips

Error - 26.1.2012 10:04:05 | Computer Name = TEA-LAPTOP | Source = F-Secure Standalone Minifilter | ID = 327681
Description =

Error - 30.1.2012 5:02:38 | Computer Name = TEA-LAPTOP | Source = DCOM | ID = 10010
Description = The server {063D34A4-BF84-4B8D-B699-E8CA06504DDE} did not register
with DCOM within the required timeout.

Error - 30.1.2012 5:06:35 | Computer Name = TEA-LAPTOP | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Microsoft XPS Document Writer
share name Printer2.

Error - 30.1.2012 5:08:55 | Computer Name = TEA-LAPTOP | Source = DCOM | ID = 10010
Description = The server {063D34A4-BF84-4B8D-B699-E8CA06504DDE} did not register
with DCOM within the required timeout.

Error - 30.1.2012 5:13:26 | Computer Name = TEA-LAPTOP | Source = DCOM | ID = 10010
Description = The server {063D34A4-BF84-4B8D-B699-E8CA06504DDE} did not register
with DCOM within the required timeout.

Error - 30.1.2012 5:16:47 | Computer Name = TEA-LAPTOP | Source = Service Control Manager | ID = 7038
Description = The RemoteRegistry service was unable to log on as NT AUTHORITY\LocalService
with the currently configured password due to the following error: %%5 To ensure
that the service is configured properly, use the Services snap-in in Microsoft Management
Console
(MMC).

Error - 30.1.2012 5:16:47 | Computer Name = TEA-LAPTOP | Source = Service Control Manager | ID = 7000
Description = The Remote Registry service failed to start due to the following error:
%%1069

Error - 30.1.2012 5:22:55 | Computer Name = TEA-LAPTOP | Source = DCOM | ID = 10010
Description = The server {063D34A4-BF84-4B8D-B699-E8CA06504DDE} did not register
with DCOM within the required timeout.

Error - 30.1.2012 5:37:42 | Computer Name = TEA-LAPTOP | Source = DCOM | ID = 10010
Description = The server {063D34A4-BF84-4B8D-B699-E8CA06504DDE} did not register
with DCOM within the required timeout.

< End of report >

aswMBR.txt

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 22:00:14
-----------------------------
22:00:14.796 OS Version: Windows 5.1.2600 Service Pack 3
22:00:14.796 Number of processors: 2 586 0x6801
22:00:14.796 ComputerName: TEA-LAPTOP UserName: Tea
22:00:15.546 Initialize success
22:13:25.062 AVAST engine defs: 12013000
22:18:08.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:18:08.078 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC7BP Size: 114473MB BusType: 3
22:18:08.093 Disk 0 MBR read successfully
22:18:08.093 Disk 0 MBR scan
22:18:08.218 Disk 0 Windows XP default MBR code
22:18:08.218 Disk 0 Partition - 00 0F Extended LBA 103873 MB offset 16065
22:18:08.250 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 8996 MB offset 212752384
22:18:08.281 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 103873 MB offset 16128
22:18:08.281 Disk 0 scanning sectors +231176192
22:18:08.375 Disk 0 scanning C:\WINDOWS\system32\drivers
22:18:21.828 Service scanning
22:18:22.093 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
22:18:22.984 Modules scanning
22:18:29.968 Disk 0 trace - called modules:
22:18:29.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x84afbd31]<<
22:18:29.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b61ab8]
22:18:29.984 3 CLASSPNP.SYS[f74dcfd7] -> nt!IofCallDriver -> \Device\00000085[0x84b6a030]
22:18:29.984 5 ACPI.sys[f7373620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84be8498]
22:18:30.687 AVAST engine scan C:\WINDOWS
22:18:44.484 AVAST engine scan C:\WINDOWS\system32
22:22:16.781 AVAST engine scan C:\WINDOWS\system32\drivers
22:22:35.906 AVAST engine scan C:\Documents and Settings\Tea
22:27:27.859 AVAST engine scan C:\Documents and Settings\All Users
22:28:07.687 Scan finished successfully
22:28:58.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tea\Desktop\MBR.dat"
22:28:58.812 The log file has been saved successfully to "C:\Documents and Settings\Tea\Desktop\aswMBR.txt"

p.s. also there was an option that is not visible on the screenshots your provided AV scan with a drop down box (default was quick scan, other options were c:/ ; [..] and (none)). I used default QUICK SCAN, just wanted to let you know.

oldman960 · Jan 30, 2012

Hi

It does look like something may be there. Let's see if this will show us what.

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Safe Mode

marko1234 · Jan 31, 2012

Here is the gmer log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-31 01:24:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541612J9SA00 rev.SBDOC7BP
Running: bmefms5v.exe; Driver: C:\DOCUME~1\Tea\LOCALS~1\Temp\pwdoikog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xEB65B610]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xEB65BC10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xEB65B730]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xEB65B4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xEB65B570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xEB65B6D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xEB65B790]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xEB65B690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xEB65B650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xEB65B7D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xEB65B510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xEB65B590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xEB65B4D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xEB65B5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xEB65B750]

INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F68EC59A
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F68EC655

---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys F72E7852 1 Byte [CC] {INT 3 }
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF676E000, 0x17D80E, 0xE8000020]
? C:\DOCUME~1\Tea\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1340] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 84AAD161
Thread System [4:648] 83E8BC30

---- EOF - GMER 1.0.15 ----

p.s. hmmm I left it to scan, when i returned i found black screen, now im not sure if laptop went to standby or just turned off the monitor

should i rerun the test?

marko1234 · Jan 31, 2012

I redid the scan just to be sure so you can ignore the previous post. Here's the new log (although it seems the same too me)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-31 02:11:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541612J9SA00 rev.SBDOC7BP
Running: bmefms5v.exe; Driver: C:\DOCUME~1\Tea\LOCALS~1\Temp\pwdoikog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xEB65B610]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xEB65BC10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xEB65B730]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xEB65B4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xEB65B570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xEB65B6D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xEB65B790]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xEB65B690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xEB65B650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xEB65B7D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xEB65B510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xEB65B590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xEB65B4D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xEB65B5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xEB65B750]

INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F68EC59A
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F68EC655

---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys F72E7852 1 Byte [CC] {INT 3 }
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF676E000, 0x17D80E, 0xE8000020]
? C:\DOCUME~1\Tea\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1340] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 84AAD161
Thread System [4:648] 83E8BC30

---- EOF - GMER 1.0.15 ----

oldman960 · Jan 31, 2012

Hi marko1234,

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

marko1234 · Jan 31, 2012

another problem that occurs... booting takes a whole lot of time. also while applying CURE while using kaspersky my antivirus nod32 popped up alerting me of a virus i was curing. dont know if that is a problem. I chose TAKE NO ACTION with nod32.

Here's the log you requested:
19:47:09.0500 3132 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
19:47:10.0734 3132 ============================================================
19:47:10.0734 3132 Current date / time: 2012/01/31 19:47:10.0734
19:47:10.0734 3132 SystemInfo:
19:47:10.0734 3132
19:47:10.0734 3132 OS Version: 5.1.2600 ServicePack: 3.0
19:47:10.0734 3132 Product type: Workstation
19:47:10.0734 3132 ComputerName: TEA-LAPTOP
19:47:10.0734 3132 UserName: Tea
19:47:10.0734 3132 Windows directory: C:\WINDOWS
19:47:10.0734 3132 System windows directory: C:\WINDOWS
19:47:10.0734 3132 Processor architecture: Intel x86
19:47:10.0734 3132 Number of processors: 2
19:47:10.0734 3132 Page size: 0x1000
19:47:10.0734 3132 Boot type: Normal boot
19:47:10.0734 3132 ============================================================
19:47:13.0250 3132 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:47:13.0250 3132 \Device\Harddisk0\DR0:
19:47:13.0250 3132 MBR used
19:47:13.0281 3132 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0xCAE0AFB
19:47:13.0281 3132 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xCAE5800, BlocksNum 0x1192000
19:47:13.0359 3132 Initialize success
19:47:13.0359 3132 ============================================================
19:47:37.0828 0352 ============================================================
19:47:37.0828 0352 Scan started
19:47:37.0828 0352 Mode: Manual; SigCheck; TDLFS;
19:47:37.0828 0352 ============================================================
19:47:38.0453 0352 Abiosdsk - ok
19:47:38.0828 0352 abp480n5 - ok
19:47:39.0328 0352 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:47:39.0390 0352 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
19:47:39.0390 0352 ACPI ( Virus.Win32.Rloader.a ) - infected
19:47:39.0390 0352 ACPI - detected Virus.Win32.Rloader.a (0)
19:47:39.0796 0352 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:47:47.0359 0352 ACPIEC - ok
19:47:47.0937 0352 ADIHdAudAddService (7356eff52ad50b8946d346002118ce62) C:\WINDOWS\system32\drivers\ADIHdAud.sys
19:47:48.0234 0352 ADIHdAudAddService - ok
19:47:48.0625 0352 adpu160m - ok
19:47:49.0093 0352 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
19:47:49.0171 0352 AEAudio - ok
19:47:49.0656 0352 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:47:49.0953 0352 aec - ok
19:47:50.0468 0352 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:47:50.0625 0352 AFD - ok
19:47:51.0703 0352 AgereSoftModem (90456051c422e09bc36e6340dd891f0c) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
19:47:53.0406 0352 AgereSoftModem - ok
19:47:53.0812 0352 Aha154x - ok
19:47:54.0203 0352 aic78u2 - ok
19:47:54.0578 0352 aic78xx - ok
19:47:54.0937 0352 AliIde - ok
19:47:55.0343 0352 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
19:47:55.0390 0352 AmdK8 - ok
19:47:55.0734 0352 amsint - ok
19:47:56.0109 0352 asc - ok
19:47:56.0468 0352 asc3350p - ok
19:47:56.0828 0352 asc3550 - ok
19:47:57.0343 0352 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:47:57.0562 0352 AsyncMac - ok
19:47:58.0046 0352 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:47:58.0218 0352 atapi - ok
19:47:58.0625 0352 Atdisk - ok
19:48:00.0734 0352 ati2mtag (d0c00ee032994b698b47837a3561717a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:48:04.0250 0352 ati2mtag - ok
19:48:04.0765 0352 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:48:05.0015 0352 Atmarpc - ok
19:48:05.0421 0352 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:48:05.0593 0352 audstub - ok
19:48:06.0078 0352 b57w2k (133ad3794572bce689763a8356c7ed06) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
19:48:06.0250 0352 b57w2k - ok
19:48:07.0531 0352 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
19:48:09.0187 0352 BCM43XX - ok
19:48:09.0609 0352 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:48:09.0812 0352 Beep - ok
19:48:10.0781 0352 BTKRNL (ba57f31eab93dc597d772f6f5b9ed54f) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
19:48:11.0859 0352 BTKRNL - ok
19:48:12.0390 0352 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
19:48:12.0734 0352 BTWUSB - ok
19:48:13.0125 0352 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:48:13.0328 0352 cbidf2k - ok
19:48:13.0718 0352 cd20xrnt - ok
19:48:14.0125 0352 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:48:14.0312 0352 Cdaudio - ok
19:48:14.0781 0352 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:48:15.0046 0352 Cdfs - ok
19:48:15.0500 0352 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:48:15.0718 0352 Cdrom - ok
19:48:16.0125 0352 Changer - ok
19:48:16.0515 0352 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:48:16.0718 0352 CmBatt - ok
19:48:17.0109 0352 CmdIde - ok
19:48:17.0515 0352 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:48:17.0703 0352 Compbatt - ok
19:48:18.0125 0352 Cpqarray - ok
19:48:18.0515 0352 dac2w2k - ok
19:48:18.0859 0352 dac960nt - ok
19:48:19.0281 0352 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:48:19.0500 0352 Disk - ok
19:48:20.0437 0352 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:48:21.0437 0352 dmboot - ok
19:48:22.0031 0352 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:48:22.0515 0352 dmio - ok
19:48:22.0890 0352 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:48:23.0093 0352 dmload - ok
19:48:23.0515 0352 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:48:23.0734 0352 DMusic - ok
19:48:24.0218 0352 dpti2o - ok
19:48:24.0593 0352 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:48:24.0765 0352 drmkaud - ok
19:48:25.0250 0352 eamon (55e754e04c09daf19fc0054e72713d80) C:\WINDOWS\system32\DRIVERS\eamon.sys
19:48:25.0406 0352 eamon - ok
19:48:25.0843 0352 ehdrv (6f2441c26d74bde88c25e240a2720eeb) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
19:48:25.0937 0352 ehdrv - ok
19:48:26.0406 0352 epfw (93aa9cef77315a0866f8307195de416d) C:\WINDOWS\system32\DRIVERS\epfw.sys
19:48:26.0531 0352 epfw - ok
19:48:26.0937 0352 Epfwndis (7946b41daeb3e610742ff01a6d2d61b2) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
19:48:26.0984 0352 Epfwndis - ok
19:48:27.0453 0352 epfwtdi (f38059a07393a8c56bae8ff7ee0c3128) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
19:48:27.0515 0352 epfwtdi - ok
19:48:28.0046 0352 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:48:28.0343 0352 Fastfat - ok
19:48:28.0828 0352 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:48:29.0062 0352 Fdc - ok
19:48:29.0500 0352 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:48:29.0703 0352 Fips - ok
19:48:30.0156 0352 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:48:30.0375 0352 Flpydisk - ok
19:48:30.0843 0352 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:48:31.0109 0352 FltMgr - ok
19:48:31.0500 0352 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:48:31.0703 0352 Fs_Rec - ok
19:48:32.0218 0352 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:48:32.0578 0352 Ftdisk - ok
19:48:32.0984 0352 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:48:33.0015 0352 GEARAspiWDM - ok
19:48:33.0421 0352 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:48:33.0656 0352 Gpc - ok
19:48:34.0078 0352 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
19:48:34.0140 0352 HBtnKey - ok
19:48:34.0671 0352 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:48:34.0890 0352 HDAudBus - ok
19:48:35.0296 0352 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:48:35.0484 0352 HidUsb - ok
19:48:35.0921 0352 HP24X (362d8e46b618649591de2a5c2f0e58e1) C:\WINDOWS\system32\DRIVERS\HP24X.sys
19:48:35.0984 0352 HP24X - ok
19:48:36.0390 0352 hpn - ok
19:48:36.0937 0352 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:48:37.0203 0352 HTTP - ok
19:48:37.0609 0352 i2omgmt - ok
19:48:37.0968 0352 i2omp - ok
19:48:38.0390 0352 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:48:38.0609 0352 i8042prt - ok
19:48:39.0078 0352 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:48:39.0296 0352 Imapi - ok
19:48:39.0703 0352 ini910u - ok
19:48:40.0078 0352 IntelIde - ok
19:48:40.0500 0352 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
19:48:40.0734 0352 Ip6Fw - ok
19:48:41.0156 0352 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:48:41.0312 0352 IpFilterDriver - ok
19:48:41.0828 0352 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:48:42.0031 0352 IpInIp - ok
19:48:42.0562 0352 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:48:42.0875 0352 IpNat - ok
19:48:43.0312 0352 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:48:43.0546 0352 IPSec - ok
19:48:44.0031 0352 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:48:44.0109 0352 IRENUM - ok
19:48:44.0531 0352 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:48:44.0750 0352 isapnp - ok
19:48:45.0156 0352 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:48:45.0359 0352 Kbdclass - ok
19:48:45.0812 0352 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:48:46.0000 0352 kbdhid - ok
19:48:46.0500 0352 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:48:46.0781 0352 kmixer - ok
19:48:47.0218 0352 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:48:47.0390 0352 KSecDD - ok
19:48:47.0796 0352 lbrtfdc - ok
19:48:48.0203 0352 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
19:48:48.0218 0352 MBAMProtector - ok
19:48:48.0625 0352 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:48:48.0812 0352 mnmdd - ok
19:48:49.0218 0352 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:48:49.0437 0352 Modem - ok
19:48:49.0953 0352 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:48:50.0156 0352 Mouclass - ok
19:48:50.0546 0352 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:48:50.0765 0352 mouhid - ok
19:48:51.0187 0352 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:48:51.0390 0352 MountMgr - ok
19:48:51.0781 0352 mraid35x - ok
19:48:52.0312 0352 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:48:52.0718 0352 MRxDAV - ok
19:48:53.0375 0352 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:48:53.0921 0352 MRxSmb - ok
19:48:54.0375 0352 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:48:54.0562 0352 Msfs - ok
19:48:54.0968 0352 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:48:55.0187 0352 MSKSSRV - ok
19:48:55.0546 0352 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:48:55.0750 0352 MSPCLOCK - ok
19:48:56.0187 0352 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:48:56.0375 0352 MSPQM - ok
19:48:56.0781 0352 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:48:56.0953 0352 mssmbios - ok
19:48:57.0437 0352 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:48:57.0578 0352 Mup - ok
19:48:58.0109 0352 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:48:58.0375 0352 NDIS - ok
19:48:58.0781 0352 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:48:58.0843 0352 NdisTapi - ok
19:48:59.0296 0352 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:48:59.0484 0352 Ndisuio - ok
19:48:59.0937 0352 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:49:00.0234 0352 NdisWan - ok
19:49:00.0687 0352 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:49:00.0781 0352 NDProxy - ok
19:49:01.0203 0352 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:49:01.0421 0352 NetBIOS - ok
19:49:01.0968 0352 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:49:02.0468 0352 NetBT - ok
19:49:02.0875 0352 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:49:03.0078 0352 Npfs - ok
19:49:03.0812 0352 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:49:04.0500 0352 Ntfs - ok
19:49:04.0968 0352 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:49:05.0156 0352 Null - ok
19:49:05.0546 0352 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:49:05.0750 0352 NwlnkFlt - ok
19:49:06.0140 0352 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:49:06.0343 0352 NwlnkFwd - ok
19:49:06.0812 0352 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
19:49:07.0078 0352 Parport - ok
19:49:07.0468 0352 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:49:07.0640 0352 PartMgr - ok
19:49:08.0031 0352 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:49:08.0234 0352 ParVdm - ok
19:49:08.0687 0352 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:49:08.0937 0352 PCI - ok
19:49:09.0296 0352 PCIDump - ok
19:49:09.0687 0352 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:49:09.0921 0352 PCIIde - ok
19:49:10.0421 0352 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
19:49:10.0687 0352 Pcmcia - ok
19:49:11.0109 0352 PDCOMP - ok
19:49:11.0468 0352 PDFRAME - ok
19:49:11.0828 0352 PDRELI - ok
19:49:12.0187 0352 PDRFRAME - ok
19:49:12.0656 0352 perc2 - ok
19:49:13.0125 0352 perc2hib - ok
19:49:13.0593 0352 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:49:13.0812 0352 PptpMiniport - ok
19:49:14.0218 0352 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
19:49:14.0421 0352 Processor - ok
19:49:14.0906 0352 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:49:15.0156 0352 PSched - ok
19:49:15.0546 0352 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:49:15.0734 0352 Ptilink - ok
19:49:16.0171 0352 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:49:16.0218 0352 PxHelp20 - ok
19:49:16.0578 0352 ql1080 - ok
19:49:16.0937 0352 Ql10wnt - ok
19:49:17.0296 0352 ql12160 - ok
19:49:17.0656 0352 ql1240 - ok
19:49:18.0015 0352 ql1280 - ok
19:49:18.0406 0352 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:49:18.0593 0352 RasAcd - ok
19:49:19.0062 0352 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:49:19.0296 0352 Rasl2tp - ok
19:49:19.0687 0352 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:49:19.0921 0352 RasPppoe - ok
19:49:20.0296 0352 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:49:20.0500 0352 Raspti - ok
19:49:20.0984 0352 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:49:21.0328 0352 Rdbss - ok
19:49:21.0750 0352 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:49:21.0921 0352 RDPCDD - ok
19:49:22.0500 0352 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:49:22.0937 0352 rdpdr - ok
19:49:23.0421 0352 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:49:23.0609 0352 RDPWD - ok
19:49:24.0109 0352 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:49:24.0328 0352 redbook - ok
19:49:24.0781 0352 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:49:24.0906 0352 Secdrv - ok
19:49:25.0390 0352 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:49:25.0625 0352 Serial - ok
19:49:26.0046 0352 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:49:26.0234 0352 Sfloppy - ok
19:49:26.0609 0352 Simbad - ok
19:49:26.0968 0352 Sparrow - ok
19:49:27.0375 0352 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:49:27.0562 0352 splitter - ok
19:49:28.0078 0352 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:49:28.0218 0352 sr - ok
19:49:28.0812 0352 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:49:29.0265 0352 Srv - ok
19:49:29.0703 0352 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:49:29.0875 0352 swenum - ok
19:49:30.0312 0352 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:49:30.0578 0352 swmidi - ok
19:49:30.0984 0352 symc810 - ok
19:49:31.0343 0352 symc8xx - ok
19:49:31.0703 0352 sym_hi - ok
19:49:32.0062 0352 sym_u3 - ok
19:49:32.0531 0352 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:49:32.0859 0352 sysaudio - ok
19:49:33.0484 0352 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:49:34.0000 0352 Tcpip - ok
19:49:34.0421 0352 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:49:34.0625 0352 TDPIPE - ok
19:49:35.0015 0352 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:49:35.0203 0352 TDTCP - ok
19:49:35.0625 0352 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:49:35.0875 0352 TermDD - ok
19:49:36.0281 0352 TosIde - ok
19:49:36.0718 0352 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:49:36.0984 0352 Udfs - ok
19:49:37.0390 0352 ultra - ok
19:49:38.0000 0352 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:49:38.0578 0352 Update - ok
19:49:39.0000 0352 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
19:49:39.0109 0352 USBAAPL - ok
19:49:39.0531 0352 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:49:39.0750 0352 usbccgp - ok
19:49:40.0250 0352 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:49:40.0468 0352 usbehci - ok
19:49:40.0921 0352 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:49:41.0140 0352 usbhub - ok
19:49:41.0531 0352 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
19:49:41.0734 0352 usbohci - ok
19:49:42.0250 0352 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:49:42.0734 0352 usbscan - ok
19:49:43.0156 0352 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:49:43.0343 0352 USBSTOR - ok
19:49:43.0828 0352 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:49:44.0031 0352 VgaSave - ok
19:49:44.0406 0352 ViaIde - ok
19:49:44.0812 0352 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:49:45.0062 0352 VolSnap - ok
19:49:45.0531 0352 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:49:45.0750 0352 Wanarp - ok
19:49:46.0125 0352 WDICA - ok
19:49:46.0578 0352 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:49:46.0796 0352 wdmaud - ok
19:49:47.0296 0352 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
19:49:47.0468 0352 WmiAcpi - ok
19:49:47.0875 0352 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:49:48.0078 0352 WS2IFSL - ok
19:49:48.0125 0352 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:49:48.0640 0352 \Device\Harddisk0\DR0 - ok
19:49:48.0656 0352 Boot (0x1200) (96852dd8a09164cfbd067444d793afaf) \Device\Harddisk0\DR0\Partition0
19:49:48.0656 0352 \Device\Harddisk0\DR0\Partition0 - ok
19:49:48.0656 0352 Boot (0x1200) (cdf10a52227489d9e2636720e1ff5a4b) \Device\Harddisk0\DR0\Partition1
19:49:48.0656 0352 \Device\Harddisk0\DR0\Partition1 - ok
19:49:48.0671 0352 ============================================================
19:49:48.0671 0352 Scan finished
19:49:48.0671 0352 ============================================================
19:49:48.0812 0336 Detected object count: 1
19:49:48.0812 0336 Actual detected object count: 1
19:50:28.0062 0336 C:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
19:50:38.0875 0336 Backup copy found, using it..
19:50:39.0281 0336 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
19:50:39.0281 0336 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
19:50:46.0828 2412 Deinitialize success

oldman960 · Feb 1, 2012

Hi marko1234,

19:47:39.0328 0352 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:47:39.0390 0352 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
19:47:39.0390 0352 ACPI ( Virus.Win32.Rloader.a ) - infected
19:47:39.0390 0352 ACPI - detected Virus.Win32.Rloader.a (0)

Looks like we got it. Nod probably noticed while TDSSK was moving it.

Please run aswMBR again this time with the additional scan.Disable Nod first.

marko1234 · Feb 6, 2012

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-06 22:37:11
-----------------------------
22:37:11.406 OS Version: Windows 5.1.2600 Service Pack 3
22:37:11.406 Number of processors: 2 586 0x6801
22:37:11.406 ComputerName: TEA-LAPTOP UserName: Tea
22:37:13.812 Initialize success
22:37:45.453 AVAST engine defs: 12020601
22:37:51.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:37:51.750 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC7BP Size: 114473MB BusType: 3
22:37:51.843 Disk 0 MBR read successfully
22:37:51.843 Disk 0 MBR scan
22:37:52.312 Disk 0 Windows XP default MBR code
22:37:52.312 Disk 0 Partition - 00 0F Extended LBA 103873 MB offset 16065
22:37:52.359 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 8996 MB offset 212752384
22:37:52.500 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 103873 MB offset 16128
22:37:52.656 Disk 0 scanning sectors +231176192
22:37:53.343 Disk 0 scanning C:\WINDOWS\system32\drivers
22:38:30.796 Service scanning
22:38:34.640 Modules scanning
22:39:07.421 Disk 0 trace - called modules:
22:39:07.437 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
22:39:07.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b19ab8]
22:39:07.437 3 CLASSPNP.SYS[f74dcfd7] -> nt!IofCallDriver -> \Device\00000085[0x84a943b8]
22:39:07.437 5 ACPI.sys[f7373620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84b5bd98]
22:39:09.765 AVAST engine scan C:\WINDOWS
22:39:40.125 AVAST engine scan C:\WINDOWS\system32
22:55:29.187 AVAST engine scan C:\WINDOWS\system32\drivers
22:56:17.671 AVAST engine scan C:\Documents and Settings\Tea
23:08:37.656 AVAST engine scan C:\Documents and Settings\All Users
23:09:45.765 Scan finished successfully
23:10:13.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tea\Desktop\MBR.dat"
23:10:13.812 The log file has been saved successfully to "C:\Documents and Settings\Tea\Desktop\aswMBR.txt"

I've scanned the laptop with aswmbr [quickscan]... laptop is still very bad...
takes a while to boot and still sometimes when u turn it on it doesnt work, cant do anything, sand watch appears and doesnt go away...

i think this laptop is beyond repair

anything else i could do or is windows reinstall only thing that will help? sorry for the late answer.

oldman960 · Feb 7, 2012

Hi marko1234,

Now that we have fixed that driver perhaps another run of combofix may turn something up. The driver may have been hidding something.

Please read through the instructions to familarize youself with what to expect when the tool runs.

Please download ComboFix from Link 1or Link 2 to your desktop.

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Notes:
  
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]
  
  Please post back with
  - combofix log
  How is the computer?

marko1234 · Feb 11, 2012

Hi oldman960

Here's the log you requested

ComboFix 12-02-11.02 - Tea 11.02.2012 19:53:35.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.895.281 [GMT 1:00]
Running from: c:\documents and settings\Tea\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dds_log_trash.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-01-31 18:50 . 2012-01-31 18:50 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-26 20:23 . 2012-01-26 20:23 -------- d-----w- c:\program files\Common Files\Adobe
2012-01-26 14:01 . 2012-01-26 14:01 -------- d-----w- c:\documents and settings\Tea\Application Data\f-secure
2012-01-26 13:59 . 2012-01-26 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2012-01-26 11:22 . 2007-02-14 13:21 67960 ----a-w- c:\windows\system32\drivers\btwusb.sys
2012-01-26 11:22 . 2007-02-14 13:21 30285 ----a-w- c:\windows\system32\drivers\btwmodem.sys
2012-01-26 11:22 . 2007-02-14 13:20 868298 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2012-01-26 11:22 . 2007-02-14 13:20 47907 ----a-w- c:\windows\system32\drivers\btwhid.sys
2012-01-26 11:22 . 2007-02-14 13:20 30459 ----a-w- c:\windows\system32\drivers\btport.sys
2012-01-26 11:22 . 2007-02-14 13:20 149123 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2012-01-26 11:22 . 2007-02-14 13:20 530861 ----a-w- c:\windows\system32\drivers\btaudio.sys
2012-01-25 10:40 . 2012-01-25 10:40 -------- d-----w- c:\program files\IrfanView
2012-01-24 13:16 . 2012-01-24 13:16 -------- d-----w- c:\documents and settings\Tea\Application Data\Malwarebytes
2012-01-24 13:15 . 2012-01-24 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-24 13:15 . 2012-01-24 13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-24 13:15 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-24 12:35 . 2012-01-24 12:35 -------- d-----w- c:\program files\Common Files\Java
2012-01-24 11:58 . 2012-01-24 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2012-01-23 23:41 . 2012-02-11 18:14 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-01-23 23:41 . 2012-01-23 23:41 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-01-23 23:41 . 2012-01-23 23:41 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-01-23 23:41 . 2012-02-11 18:14 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2012-01-23 23:41 . 2012-02-11 18:14 437208 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2012-01-23 23:41 . 2012-02-11 18:14 1911768 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2012-01-23 23:41 . 2012-02-11 18:14 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2012-01-23 23:41 . 2012-02-11 18:14 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2012-01-23 23:41 . 2012-02-11 18:14 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-23 23:41 . 2012-01-23 23:41 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-23 23:41 . 2012-01-23 23:41 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-23 23:41 . 2012-01-23 23:41 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-23 10:33 . 2012-01-23 10:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-17 10:57 . 2012-01-17 10:57 -------- d-----w- c:\program files\ERUNT
2012-01-17 01:49 . 2012-01-17 01:49 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 18:51 . 2008-04-14 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-01-26 00:49 . 2010-04-11 14:33 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2012-02-11 18:14 . 2012-01-23 23:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-02-22 2140880]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Tea\\Desktop\\COD\\Call of Duty 1.5 + United Offensive\\Call of Duty\\CoDUOMP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [22.2.2010 15:50 114984]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [22.2.2010 15:50 810120]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [24.1.2012 14:15 652872]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [4.12.2006 15:13 292384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24.1.2012 14:15 20464]
S2 gupdate;Usluga Google ažuriranje (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30.4.2010 17:31 135664]
S3 gupdatem;Usluga Google ažuriranje (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30.4.2010 17:31 135664]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [17.7.2007 0:24 35072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 10:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 16:31]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 16:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Tea\Application Data\Mozilla\Firefox\Profiles\zl22bngb.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-60101761.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-11 20:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-02-11 20:10:42
ComboFix-quarantined-files.txt 2012-02-11 19:10
.
Pre-Run: 89.581.780.992 bytes free
Post-Run: 90.097.799.168 bytes free
.
- - End Of File - - BA206C6117DCBD4BD7DB8986535DA776

laptop is still really bad. just that windows XP logo when booting stays there for a few minutes, not to mention the actual time until laptop is finally operable. any more ideas?

oldman960 · Feb 11, 2012

Hi marko1234,

I'm not seeing anything out of the ordinary in the logs. Is backimg up and reinstalling windows an option?

marko1234 · Feb 11, 2012

yeah, it is. I mean I told my sister to back the photos and rest of the documents she needs to an usb so I think ill reinstall windows now. anyways thanks a lot for all your time and help. sorry i bothered you

p.s. I have one question and i was wondering if you could help me... I will stick that usb with all the backup in my pc but i was wondering is there some way i could prevent infecting my PC. I have disabled auto run and just scan the usb with my nod32. Just wondering is that enough? thanks in advance

oldman960 · Feb 11, 2012

Hi marko1234,

That should be enough if autorun has been disabled. What is the operating system of your computer, there may be a tool available to use on both your computer and the usb device.

marko1234 · Feb 11, 2012

I'm still on windowsXP... old pc

oldman960 · Feb 12, 2012

Hi marko1234,

You can run this on the computer while the usb device is attached. There isn't a user interface, you might see a brief black flash on your screen when it runs.

Download Flash_Disinfector.exe by sUBs(and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive anl/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

oldman960 · Mar 13, 2012

Since this issue appears to be resolved ... this Topic has been closed.

Infected (sirefef.ch and mby not only that)

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member