Possible rootkit and unknown ads

[loser]

Hello i'm not sure if this post belongs to here because my computer is not showing any actual symptoms of infection but i ran a scan with spy dll remover and combofix and both found rootkit activity but could not tell what was causing it, combofix even asked me to reboot the computer. So here are my dds logs and root alyzer log and the packed suspicious files that were found bu rootalyzer.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 16:03:48,92 on ma 27.12.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.489 [GMT 2:00]

AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Main
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
svchost.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.fi/
mStart Page = about:blank
BHO: BullGuard Safe Browsing: {fc872b94-35e3-4b94-b028-184a2a1c7cce} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIEBHO.dll
uRun: [Nokia Internet Modem] "c:\program files\nokia\nokia internet modem\WellPhone2.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
LSP: c:\windows\system32\BGLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292479423390
TCP: {FE31AAE5-4FDE-4CEF-8BB4-2498F9CF42B3} = 62.241.198.245 62.241.198.246
Handler: bglink - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIEBHO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\yqypozw2.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\bullguard ltd\bullguard\antiphishing\ff\antiphishing@bullguard\components\BGFFComponent.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2010-10-12 61152]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2010-11-15 787912]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2010-11-15 19144]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 BsBhvScan;BullGuard behavioural detection service;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2010-11-23 327000]
R2 BsBrowser;BullGuard antiphishing service;c:\windows\system32\SvcHost.exe -k BullGuard_LowPriv [2010-12-17 14336]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2010-12-17 14336]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2010-12-17 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard [2010-12-17 14336]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2010-12-17 14336]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2010-11-26 308056]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-16 363344]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2010-10-12 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2010-10-12 267624]
R3 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2010-11-23 253784]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-16 20952]
R3 nokiappo;Nokia Internet Stick Wireless Modem Power Policy Service;c:\windows\system32\drivers\nokiappo.sys [2009-8-5 27008]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-12-19 206608]
S2 Trend Micro RUBotted Service;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2010-12-18 431440]
S3 BgRaSvc;BgRaSvc;c:\program files\bullguard ltd\bullguard\support\BgRaSvc.exe [2010-11-26 124248]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 nokiacpo;Nokia Internet Stick Wireless Modem Service Install;c:\windows\system32\drivers\nokiacpo.sys [2009-8-5 18688]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-12-19 206608]

=============== File Associations ===============

JSEFile=c:\program files\analogx\script defender\sdefend.exe %1 %*
VBEFile=c:\program files\analogx\script defender\sdefend.exe %1 %*
VBSFile=c:\program files\analogx\script defender\sdefend.exe %1 %*

=============== Created Last 30 ================

2010-12-26 14:28:27 -------- d-----w- c:\program files\1by1
2010-12-26 09:37:06 -------- d-----w- c:\program files\AnalogX
2010-12-25 20:30:14 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-25 20:19:24 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Sunbelt Software
2010-12-25 20:15:40 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-12-25 16:01:02 -------- d-sha-r- C:\cmdcons
2010-12-25 15:59:02 98816 ----a-w- c:\windows\sed.exe
2010-12-25 15:59:02 89088 ----a-w- c:\windows\MBR.exe
2010-12-25 15:59:02 256512 ----a-w- c:\windows\PEV.exe
2010-12-25 15:59:02 161792 ----a-w- c:\windows\SWREG.exe
2010-12-25 15:37:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-12-25 15:37:25 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\NPE
2010-12-25 10:21:59 2 --shatr- c:\windows\winstart.bat
2010-12-25 10:21:11 -------- d-----w- c:\program files\UnHackMe
2010-12-25 10:17:38 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-25 10:00:29 -------- d-----w- c:\windows\system32\appmgmt
2010-12-24 09:27:54 -------- d-----w- c:\docume~1\admini~1\applic~1\Immunet
2010-12-24 09:27:44 -------- d-----w- c:\documents and settings\all users\Immunet
2010-12-22 07:36:52 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Identities
2010-12-21 18:26:48 -------- d-----w- c:\program files\MWSnap
2010-12-21 15:29:39 -------- d-----w- c:\docume~1\admini~1\applic~1\Foxit Software
2010-12-21 15:05:33 -------- d-----w- c:\docume~1\admini~1\applic~1\Software Inspection Library
2010-12-21 11:03:47 -------- d-----w- c:\docume~1\admini~1\applic~1\BullGuard
2010-12-21 11:00:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\BullGuard
2010-12-21 10:59:50 -------- d-----w- c:\program files\BullGuard Ltd
2010-12-21 10:06:03 -------- d-----w- c:\program files\Foxit Software
2010-12-20 18:36:19 11 ----a-w- c:\windows\system32\syse05e-1f9c.sys
2010-12-20 18:36:16 1701648 ----a-w- c:\windows\system32\VBA6.DLL
2010-12-20 18:36:16 140096 ----a-w- c:\windows\system32\COMDLG32.OCX
2010-12-20 18:36:16 1077336 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-20 18:36:11 -------- d-----w- c:\program files\Scut AntiVirus On-Demand
2010-12-20 18:25:30 -------- d--h--w- c:\windows\PIF
2010-12-20 18:24:19 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-12-20 18:19:04 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-20 18:19:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-20 18:18:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-19 12:34:49 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-12-18 21:24:02 -------- d-----w- c:\docume~1\admini~1\applic~1\TrojanHunter
2010-12-18 20:33:03 -------- d-----w- c:\program files\TrojanHunter 5.3
2010-12-18 20:21:10 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\FreeFixer
2010-12-18 20:21:10 -------- d-----w- c:\docume~1\admini~1\applic~1\FreeFixer
2010-12-18 16:53:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-18 16:53:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-18 16:48:05 -------- d-----w- c:\program files\FreeFixer
2010-12-18 11:57:05 -------- d-----w- c:\program files\Trend Micro
2010-12-18 11:55:20 -------- d-----w- c:\program files\CCleaner
2010-12-18 11:53:10 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-12-18 11:53:08 -------- d-----w- c:\program files\SpywareBlaster
2010-12-18 11:10:37 -------- d-----w- c:\documents and settings\administrator\DoctorWeb
2010-12-18 08:50:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-18 08:50:32 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-12-18 08:50:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-18 07:38:23 -------- d-----w- c:\program files\IZArc
2010-12-17 21:34:36 -------- d-----w- c:\windows\system32\XPSViewer
2010-12-17 21:33:30 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-12-17 21:33:07 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-12-17 21:33:07 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-12-17 21:33:07 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-12-17 21:33:07 117760 ------w- c:\windows\system32\prntvpt.dll
2010-12-17 21:33:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-12-17 21:33:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-12-17 21:33:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-12-17 21:33:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-12-17 21:33:05 -------- d-----w- C:\198842ec705728e80861
2010-12-17 18:05:45 294912 ------w- c:\program files\windows media player\dlimport.exe
2010-12-17 18:05:37 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-12-17 17:59:47 19569 ----a-w- c:\windows\002879_.tmp
2010-12-17 17:07:07 147456 ----a-w- c:\windows\system32\SPR001A6.TMP
2010-12-17 16:52:27 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-17 16:52:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-17 16:51:16 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-17 16:47:45 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-17 16:31:28 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-17 15:21:21 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-12-17 14:19:41 -------- d-----w- c:\windows\system32\scripting
2010-12-17 14:19:38 -------- d-----w- c:\windows\l2schemas
2010-12-17 14:19:36 -------- d-----w- c:\windows\system32\en
2010-12-17 14:19:36 -------- d-----w- c:\windows\system32\bits
2010-12-17 14:06:35 -------- d-----w- c:\windows\network diagnostic
2010-12-17 13:59:48 164352 ----a-w- c:\windows\system32\wstpager.ax
2010-12-17 13:58:58 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-12-17 13:57:59 56832 ----a-w- c:\windows\system32\mshtmler.dll
2010-12-17 11:11:10 -------- d-----w- c:\docume~1\admini~1\applic~1\WinPatrol
2010-12-17 11:10:43 -------- d-----w- c:\program files\BillP Studios
2010-12-17 10:21:08 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-12-17 07:47:41 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-12-17 07:44:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-12-16 21:19:51 -------- d-----w- c:\windows\SxsCaPendDel
2010-12-16 19:21:05 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-12-16 19:20:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 19:20:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-16 19:20:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 19:20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-16 07:42:43 -------- d-----w- c:\windows\ServicePackFiles
2010-12-16 07:28:29 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-16 07:23:28 293376 ------w- c:\windows\system32\browserchoice.exe
2010-12-16 07:20:20 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-12-16 07:18:37 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-12-16 07:16:34 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-12-16 07:16:34 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-12-16 07:16:06 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-16 07:02:27 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-12-16 07:02:27 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-12-16 07:02:26 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-12-16 07:02:26 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-12-16 07:02:25 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-12-16 07:02:24 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-12-16 07:02:24 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-12-16 07:02:23 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-12-16 07:02:23 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-12-16 07:02:21 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-12-16 07:02:20 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-12-16 07:02:18 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-12-16 07:01:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-12-16 07:01:29 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-12-16 06:59:00 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-12-16 06:56:55 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-12-16 06:56:43 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-12-16 06:11:03 -------- d-----w- c:\windows\system32\PreInstall
2010-12-16 06:11:02 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-12-16 06:11:01 -------- d--h--w- c:\windows\$hf_mig$
2010-12-16 06:04:40 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-12-16 06:04:39 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-12-16 06:04:38 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-12-16 06:04:37 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-12-16 06:04:37 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-12-15 23:13:29 -------- d-----w- c:\docume~1\admini~1\applic~1\f-secure

==================== Find3M ====================

2010-12-20 18:36:20 69120 ----a-w- c:\windows\notepad.exe
2010-12-20 18:36:20 146432 ------w- c:\windows\regedit.exe
2010-12-16 20:16:16 107776 ----a-w- c:\windows\inf\ac97ich4.sys
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 15:46:48 98184 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2010-10-20 15:46:36 150920 ----a-w- c:\windows\system32\BGLsp.dll
2010-10-19 12:56:04 99136 ----a-w- c:\windows\system32\BdInstHk.dll

============= FINISH: 16:07:23,75 ===============

````````````````````````
Edit
"Please do not attach or link to possibly infected files/URLS, if an analyst requests files s/he will give you a link to upload them."
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
FYI for future reference: Do NOT run 'FIXES' (ComboFix etc) without being asked

````````````````````````

Okay thanks for the information. Here is my rootrepeal report, i decided to try it... I only scanned for the drivers.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/12/28 20:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: atapi.sys
Image Path: atapi.sys
Address: 0xF73DA000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE743000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dwprot.sys
Image Path: C:\WINDOWS\system32\drivers\dwprot.sys
Address: 0xED561000 Size: 128384 File Visible: No Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xEE372000 Size: 143744 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: NbQulyIl.sys
Image Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NbQulyIl.sys
Address: 0xED52F000 Size: 203904 File Visible: No Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7304000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED734000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==


Here is the results for the stream extracted from the notepad. It's the stream that was detected by rootalyzer... http://www.virustotal.com/file-scan...84e50133d98a527d9121c6f68b71784f4a-1293560728

:rockon:

 

[shelf life]

hi loser,

Your log is a few days old. If you still need help, reply back.

 

[loser]

Yeah sure it would be good if you could check the logs. Since i posted the logs i have changed my security programs to zonealarm free and antivir free. Antivir finds some hidden registry keys but not anything else. Anyways is that rootrepeal log and all the other logs showing anything malicious?

Here is the hidden registry keys that amtivir finds...

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-527237240-1644491937-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\mrulistex
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-527237240-1644491937-839522115-500\Software\Microsoft\Windows\CurrentVersion\MSXmlSl\node_mpqaftzafkzwzkuxxjcgyjpqramcsaqynsemesrxlzceqgfggcfby
[NOTE] The registry entry is invisible.
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\parseautoexec
[NOTE] The registry entry is invisible.

:cleaning:

 

[shelf life]

The logs look ok. Why dont you run combofix and produce a log. It should ask you to update before it starts scanning. You probably missed reading the guide before you used combofix. Read through the guide then apply the directions on your own machine:

Guide to using Combofix

 

[loser]

There is no visible indicators that my computer would be infected with any malware. It works normally and all exept that i cant boot it into safe mode. I ran the combofix again and i disabled antivir and zonealarm and mbam and closed all the browser windows and other windows. After sometimes it prompted a message saying rootkit activity detected combofix have to restart the computer. It then booted the computer and ran a scan at the startup when the other programs were not loaded. I dont know if the rootkit activity warning could be caused by my internet stick software or something. My windows cd is downloaded from a torrent site but i have a legal license code for it, i just did not receive the cd when i bought my computer. Anyways here is the combofix log...

ComboFix 11-01-03.04 - Administrator 04.01.2011 14:23:21.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.706 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.

2010-12-28 15:04 . 2010-12-28 15:06 -------- d-----w- C:\unzipped
2010-12-17 21:33 . 2010-12-17 21:33 -------- d-----w- C:\198842ec705728e80861

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:29 . 2010-12-20 18:29 27668 ----a-w- C:\comcon.zip
2010-12-18 07:39 . 2010-12-18 07:39 9530 ----a-w- c:\windows\system32\lsass.zip
2010-12-16 20:16 . 2010-12-16 20:25 107776 ----a-w- c:\windows\inf\ac97ich4.sys
2010-12-16 20:16 . 2004-08-13 11:00 107776 ----a-w- c:\windows\system32\drivers\ac97ich4.sys
2010-10-28 13:13 . 2004-08-03 13:56 290048 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nokia Internet Modem"="c:\program files\Nokia\Nokia Internet Modem\WellPhone2.exe" [2009-10-23 1962648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10.5.2010 20:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [28.12.2010 13:39 135336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16.12.2010 21:20 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [16.12.2010 21:20 20952]
R3 nokiappo;Nokia Internet Stick Wireless Modem Power Policy Service;c:\windows\system32\drivers\nokiappo.sys [5.8.2009 17:03 27008]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [19.12.2010 14:34 206608]
S3 nokiacpo;Nokia Internet Stick Wireless Modem Service Install;c:\windows\system32\drivers\nokiacpo.sys [5.8.2009 17:03 18688]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [28.12.2010 20:47 53248]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [19.12.2010 14:34 206608]
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-01-02 08:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.fi/
mStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yqypozw2.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
------- File Associations -------
.
JSEFile=c:\program files\AnalogX\Script Defender\sdefend.exe %1 %*
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-BsScanner



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-04 14:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-01-04 14:36:45
ComboFix-quarantined-files.txt 2011-01-04 12:36
ComboFix2.txt 2010-12-25 16:25

Pre-Run: 21*746*114*560 bytes free
Post-Run: 21*719*830*528 bytes free

- - End Of File - - 50FED3563CE189B659449300DC396A7E

:banghead:

 

[shelf life]

lets get another download to use and see if it removes anything, if it dosnt then we will use combofix to remove it.

Until the computer is clean I would use it as little as possible. Make sure it has no internet connectivity, if your not sure how to do this then I would power it off.

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

 

[loser]

I just scanned with tdsskiller here is the report.

2011/01/05 08:01:32.0421 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/05 08:01:32.0421 ================================================================================
2011/01/05 08:01:32.0421 SystemInfo:
2011/01/05 08:01:32.0421
2011/01/05 08:01:32.0421 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/05 08:01:32.0421 Product type: Workstation
2011/01/05 08:01:32.0421 ComputerName: COMPUTER-3B873B
2011/01/05 08:01:32.0421 UserName: Administrator
2011/01/05 08:01:32.0421 Windows directory: C:\WINDOWS
2011/01/05 08:01:32.0421 System windows directory: C:\WINDOWS
2011/01/05 08:01:32.0421 Processor architecture: Intel x86
2011/01/05 08:01:32.0421 Number of processors: 1
2011/01/05 08:01:32.0421 Page size: 0x1000
2011/01/05 08:01:32.0421 Boot type: Normal boot
2011/01/05 08:01:32.0421 ================================================================================
2011/01/05 08:01:32.0828 Initialize success
2011/01/05 08:01:36.0406 ================================================================================
2011/01/05 08:01:36.0406 Scan started
2011/01/05 08:01:36.0406 Mode: Manual;
2011/01/05 08:01:36.0406 ================================================================================
2011/01/05 08:01:38.0312 ac97intc (b6920ae5566c42f09df44e70388be78a) C:\WINDOWS\system32\drivers\ac97ich4.sys
2011/01/05 08:01:38.0625 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/05 08:01:38.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/05 08:01:39.0218 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/05 08:01:39.0375 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/05 08:01:40.0187 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/05 08:01:40.0265 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/05 08:01:40.0453 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/05 08:01:40.0609 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/05 08:01:40.0781 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/01/05 08:01:40.0890 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/01/05 08:01:41.0000 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/01/05 08:01:41.0140 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/05 08:01:41.0406 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/05 08:01:41.0609 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/05 08:01:41.0781 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/05 08:01:41.0859 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/05 08:01:42.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/05 08:01:42.0625 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/05 08:01:42.0781 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/05 08:01:42.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/05 08:01:43.0015 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/05 08:01:43.0218 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/05 08:01:43.0406 esihdrv (81c32592f29e647a29a998b8b2f4b931) C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\esihdrv.sys
2011/01/05 08:01:43.0593 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/05 08:01:43.0765 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/05 08:01:43.0890 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/05 08:01:43.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/05 08:01:44.0093 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/05 08:01:44.0218 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/05 08:01:44.0328 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/05 08:01:44.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/05 08:01:44.0687 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/05 08:01:44.0953 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/05 08:01:45.0109 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/01/05 08:01:45.0265 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/05 08:01:45.0468 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/05 08:01:45.0546 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/05 08:01:45.0656 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/05 08:01:45.0796 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/05 08:01:45.0906 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/05 08:01:46.0031 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/05 08:01:46.0140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/05 08:01:46.0250 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/05 08:01:46.0375 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/05 08:01:46.0453 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/05 08:01:46.0578 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/05 08:01:46.0718 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/05 08:01:46.0968 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys
2011/01/05 08:01:47.0125 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/05 08:01:47.0234 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/05 08:01:47.0312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/05 08:01:47.0437 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/05 08:01:47.0593 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/05 08:01:47.0765 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/05 08:01:47.0968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/05 08:01:48.0093 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/05 08:01:48.0218 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/05 08:01:48.0328 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/05 08:01:48.0453 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/05 08:01:48.0609 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/05 08:01:48.0750 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/05 08:01:48.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/05 08:01:48.0984 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/05 08:01:49.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/05 08:01:49.0234 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/05 08:01:49.0375 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/05 08:01:49.0484 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/05 08:01:49.0734 nokiacpo (8d06b0e793247e690020851a19869e80) C:\WINDOWS\system32\DRIVERS\nokiacpo.sys
2011/01/05 08:01:49.0875 nokiappo (a0a8e3fe131e99c71e707dd48e6db53d) C:\WINDOWS\system32\DRIVERS\nokiappo.sys
2011/01/05 08:01:50.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/05 08:01:50.0171 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/05 08:01:50.0375 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/05 08:01:50.0500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/05 08:01:50.0609 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/05 08:01:50.0781 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/05 08:01:50.0906 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/05 08:01:51.0015 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/05 08:01:51.0140 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/05 08:01:51.0296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/01/05 08:01:51.0437 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/05 08:01:52.0156 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/05 08:01:52.0296 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/05 08:01:52.0421 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/05 08:01:52.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/05 08:01:53.0109 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/05 08:01:53.0203 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/05 08:01:53.0328 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/05 08:01:53.0468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/05 08:01:53.0578 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/05 08:01:53.0750 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/05 08:01:53.0937 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/05 08:01:54.0140 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/05 08:01:54.0281 rk_remover-boot (8cdcdcf155482090c0251f75ce63b443) C:\WINDOWS\system32\drivers\rk_remover.sys
2011/01/05 08:01:54.0515 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/01/05 08:01:54.0703 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/01/05 08:01:54.0890 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/05 08:01:55.0015 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/05 08:01:55.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/05 08:01:55.0265 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/05 08:01:55.0562 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/05 08:01:55.0703 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/05 08:01:55.0843 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/05 08:01:56.0000 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/01/05 08:01:56.0187 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/05 08:01:56.0312 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/05 08:01:56.0796 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/05 08:01:57.0203 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/05 08:01:57.0406 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/05 08:01:57.0531 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/05 08:01:57.0671 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/05 08:01:57.0875 TMPassthru (690acb48dac04e44a3d5e7654ca3260d) C:\WINDOWS\system32\DRIVERS\TMPassthru.sys
2011/01/05 08:01:57.0921 TMPassthruMP (690acb48dac04e44a3d5e7654ca3260d) C:\WINDOWS\system32\DRIVERS\TMPassthru.sys
2011/01/05 08:01:58.0140 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/05 08:01:58.0359 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/05 08:01:58.0578 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/05 08:01:58.0750 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/05 08:01:58.0921 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/05 08:01:59.0078 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/05 08:01:59.0203 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/05 08:01:59.0328 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2011/01/05 08:01:59.0437 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/05 08:01:59.0531 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/05 08:01:59.0671 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/05 08:01:59.0890 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/05 08:02:00.0031 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
2011/01/05 08:02:00.0281 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/05 08:02:00.0500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/05 08:02:00.0796 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/05 08:02:01.0218 ================================================================================
2011/01/05 08:02:01.0218 Scan finished
2011/01/05 08:02:01.0218 ================================================================================
2011/01/05 08:02:21.0812 Deinitialize success

olice:

 

[loser]

I uploaded the files in the system32/drivers directory to virustotal to pass the time. Here are some detections, i am not sure if they are all false positives.

cdaudio.sys eSafe 7.0.17.0 2011.01.02 Win32.Banker
http://www.virustotal.com/file-scan/report.html?id=aa4dd9e7aae5aab1146b360b17001f975d2f29a1281cf7b13e7136480410f347-1294234001

cpqdap01.sys eSafe 7.0.17.0 2011.01.02 Win32.TrojanHorse
http://www.virustotal.com/file-scan/report.html?id=ef1376ec220841bcfd9e847295559625c007545839fe6309380f937057203e82-1294234283

ipsec.sys McAfee-GW-Edition 2010.1C 2011.01.05 Heuristic.LooksLike.Trojan.Patched.I
http://www.virustotal.com/file-scan/report.html?id=394d296f38e7d8efd91a6eec301d9ce6af910e35eb9819f1a9e3363863aedfdc-1294235450

kbdclass.sys McAfee-GW-Edition 2010.1C 2011.01.05 Heuristic.LooksLike.Trojan.Patched.I
http://www.virustotal.com/file-scan/report.html?id=e3b11ba26afeafb50b0fc168ea07f6049da6b88bcddeee20310602d7fc27a3a7-1294235813

mouclass.sys McAfee-GW-Edition 2010.1C 2011.01.05 Heuristic.LooksLike.Trojan.Patched.I
http://www.virustotal.com/file-scan/report.html?id=0c0fce6b0a23fb0ecb92e1663e1c72d2dd5b177d82e04782957690b69530db39-1294236176

nikedrv.sys eSafe 7.0.17.0 2011.01.02 Win32.TrojanHorse
http://www.virustotal.com/file-scan/report.html?id=6c3cc1726252530f87e43507cae92b21ca217138c4daad7b76a6a25591824051-1294236795

ptilink.sys eSafe 7.0.17.0 2011.01.02 Win32.TrojanHorse
http://www.virustotal.com/file-scan/report.html?id=da76804b55d0cab3ddd01efc06673764ae4860693375c658b6063fb14af7f12c-1294237710

rasacd.sys McAfee-GW-Edition 2010.1C 2011.01.05 Heuristic.LooksLike.Trojan.Patched.I
http://www.virustotal.com/file-scan/report.html?id=998685622abe631984b7e4dbf91ab3594b1f574378d75eb9f6265f4650470692-1294238294

rio8drv.sys eSafe 7.0.17.0 2011.01.05 Win32.TrojanHorse
http://www.virustotal.com/file-scan/report.html?id=6b9f6423d0c579e4a354ab0300291fe8abb4f72031f2d8bbc709464975800b2d-1294238693

secdrv.sys eSafe 7.0.17.0 2011.01.05 Win32.TrojanHorse
http://www.virustotal.com/file-scan/report.html?id=f72733a69bc6e1a2bb91d7632ff3463c12563f60fdcc00a2cdd67ff20d479952-1294238960

serial.sys McAfee-GW-Edition 2010.1C 2011.01.05 Heuristic.LooksLike.Trojan.Patched.I
http://www.virustotal.com/file-scan/report.html?id=5999b39242283cd803319aadca171cccc6e2a40fb2fafa51b1d29f3ff2dd8d6c-1294238989

tsbvcap.sys eSafe 7.0.17.0 2011.01.05 Win32.TrojanHorse
http://www.virustotal.com/file-scan/report.html?id=0cf11b73aca19fce26f76e25436e88d764e31d87a81944db7bca006a7646f591-1294240051

vdmindvd.sys eSafe 7.0.17.0 2011.01.05 Win32.TrojanHorse
http://www.virustotal.com/file-scan/report.html?id=478cfa2cb8f62e645f3255920bbd97e0cd1736452ca9aa98a1f358c1ff0fa9dd-1294240645

:spider:

 

[shelf life]

I dont see anything that looks like a rootkit in the logs. you can look for these two zip files and upload them to virustotal to get checked out. The lsass does look like its malware , so dont open it. You can post the url once you get the result.

C:\comcon.zip
c:\windows\system32\lsass.zip

Those other virustotal scans look like false positives, most likely if they were patched alot of the other scanners would have flagged them also not just one. You should also know that alot of malware is distributed via p2p networks. Not saying thats how you got it. I use p2p also, i have some serious bandwidth going right now via transmission, a linux client.
Lets get another download as a check for rootkits:

Please Download Rootkit Unhokker Save it to your desktop.
*Now double-click on RKUnhookerLE.exe to run it.
*Click the Report tab, then click Scan.
*Check only: Drivers, Stealth Code, Files, Code Hooks. Uncheck the rest. then Click OK. An initial scan will be performed.
*When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
*Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
*Save the report somewhere you can find it. Click Close to exit.
*Copy the entire contents of the report and paste it in your next reply.
You may get a warning about parasite detection. Please click OK to continue.

 

[loser]

I scanned the lsass.zip in virustotal. I actually zipped it some time ago because i sent the file to some antivirus companies because the lsass.exe in my computer was detected by esafe as a banker but it's propably a false positive.
Anyways here is the virustotal report http://www.virustotal.com/file-scan/report.html?id=2db1d6e2e9f19e75ad1ecd4cc63277e24551389fe7254d7a6836e13bb9cdcaac-1294296641

The comcon.zip is a file converter that i downloaded some times ago and i zipped it because i sent it also to some antivirus companies because it was detected by vba32 i cant scan it now because i deleted the file allready from my computer.

One thing i notice when i start my computer is that when there is the selection screen that has the menu to select system recovery or windows xp has now also a third selection called do not select this [debugger enabled].

Here is the scan log.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF05E000 C:\WINDOWS\System32\ialmdd5.DLL 765952 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xF7198000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 684032 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF72A1000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEE354000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF701C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEE45B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEDAF4000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF6FEB000 C:\WINDOWS\system32\DRIVERS\TMPassthru.sys 200704 bytes (Trend Micro Inc., -)
0xF707A000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7448000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEDE89000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7345000 C:\WINDOWS\system32\drivers\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xED5A5000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE3C4000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEE433000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF73F2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xEE32E000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xED5D0000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF70EA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7160000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7129000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEE411000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEE3EF000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7372000 dwprot.sys 131072 bytes (Doctor Web, Ltd., Dr.Web Protection for Windows)
0xF73BA000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7418000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBF03F000 C:\WINDOWS\System32\ialmdev5.DLL 126976 bytes (Intel Corporation, Component GHAL Driver)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 126976 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF710E000 C:\WINDOWS\system32\drivers\ac97ich4.sys 110592 bytes (Intel Corporation, Intel(r) Integrated Controller Hub Audio Driver)
0xF7287000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73DA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEE2EE000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF732E000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF70BB000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF7392000 spiderg3.sys 90112 bytes (Doctor Web, Ltd., Dr.Web File System Monitor)
0xEDE4C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF714C000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7184000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEE4B4000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF73A8000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7437000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF70AA000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7547000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7607000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF75D7000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7627000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7617000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEE166000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76C7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF74D7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF75E7000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7637000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74B7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7657000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF76F7000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF75F7000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74A7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7647000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7497000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76A7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7697000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF74C7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF75C7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xEE106000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF7667000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xED9C4000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7707000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7837000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF77DF000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7817000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7777000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF777F000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF782F000 C:\WINDOWS\system32\DRIVERS\nokiappo.sys 28672 bytes (Icera Inc., Icera Power Policy Filter)
0xF7717000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7827000 C:\WINDOWS\system32\DRIVERS\usbser.sys 28672 bytes (Microsoft Corporation, USB Modem Driver)
0xF7787000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF778F000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF77E7000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF776F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF77D7000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF771F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7857000 C:\WINDOWS\system32\Drivers\PROCEXP141.SYS 20480 bytes
0xF779F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77A7000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7727000 C:\WINDOWS\system32\drivers\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF781F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xEE0AE000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xEE236000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF795B000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEE216000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF793B000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF78A7000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF6FCF000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7943000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7257000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF724F000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF79AF000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF799D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79BB000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79AD000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF799B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7997000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B1000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A4F000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79B3000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79A7000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79AB000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7999000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7B4D000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7B87000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7AA4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A5F000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x03AE0000 Hidden Image-->Smartcom.dll [ EPROCESS 0x85EEDB18 ] PID: 1780, 2109440 bytes
0x06170000 Hidden Image-->Smartcom.Portal.Service.Client.dll [ EPROCESS 0x85EEDB18 ] PID: 1780, 290816 bytes
0x05A70000 Hidden Image-->System.Data.dll [ EPROCESS 0x85EEDB18 ] PID: 1780, 2961408 bytes
0x04EA0000 Hidden Image-->MapiImpl.dll [ EPROCESS 0x85EEDB18 ] PID: 1780, 36864 bytes
0x04BF0000 Hidden Image-->WiFiImpl.dll [ EPROCESS 0x85EEDB18 ] PID: 1780, 45056 bytes
0x03F90000 Hidden Image-->WellphoneLib.dll [ EPROCESS 0x85EEDB18 ] PID: 1780, 552960 bytes
0x060C0000 Hidden Image-->Smartcom.Portal.Object.dll [ EPROCESS 0x85EEDB18 ] PID: 1780, 94208 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat
!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat
!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\VikPev00
==============================================
>Hooks
==============================================
Key object-->ParseProcedure, Type: Kernel Object [dwprot.sys]
LpcPort object-->OpenProcedure, Type: Kernel Object [dwprot.sys]
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA0C, Type: Inline - RelativeJump 0x804E2A0C-->804E2A4A [ntoskrnl.exe]
Process object-->DeleteProcedure, Type: Kernel Object [dwprot.sys]
[1308]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1308]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1308]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1308]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1308]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1308]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B1248-->00000000 [shimeng.dll]
[1308]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]

 

[loser]

I did a little bit of research because i had nothing better to do and i dumped the memory of notepad.exe which contained the alternate data streams that were not detected in virustotal but the memory dump of notepad.exe was detected by Ikarus as virus.virut. Here is the virustotal results link http://www.virustotal.com/file-scan/report.html?id=dca0dd17487a916a8b064ff38d19b2f036efee8eceab3f3183d025d66942f4b3-1294312811

:crazy:

 

[loser]

Here is the anubis analysis report of the notepad.exe memory dump http://anubis.iseclab.org/?action=result&task_id=187151c91095ad7b42df94f3c6d74292b&format=html

 

[loser]

Superantispyware detected some registry key. Here is a screenshot.

It only detected a registry key but i am allmost sure that i dont have any pallidium in my computer. What are the best tools to examine and detect viruses like virut? http://www.f-secure.com/v-descs/virus_w32_virut.shtml

I will be silent now until the next reply.

 

[loser]

 

[shelf life]

Win32 Virut is a file that can infect all .exe and .scr extensions. As you know there are many .exe files on a machine If you had it before its possible that it didnt get all cleaned up or maybe left behind damaged files after removing the virus.
The virus has been around for awhile, your updated AV should be able to remove it.
you can do a online scan also:

ESET online scanner:

http://www.eset.com/onlinescan/

Use Internet Explorer
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan archives" Leave the defaults checked under Advanced settings
click scan. When it completes click "List found threats"
click "Export to text file.." and save it to your desktop. Post the saved log.
Click "back" and "finish"

 

[loser]

I ran the eset online scan but it did not find any viruses. I also checked my computer with antirootkit tool from novirusthanks and here is the log.

==========================================================================================================================
NoVirusThanks Anti-Rootkit v1.1 (FREE EDITION)
Microsoft Windows Version 5.1 Build: 2600 Service Pack: 3
Detected CPUs: (1)
Scanning Commenced... 7.1.2011 13:36:59
==========================================================================================================================
>>>SSDT<<<
==========================================================================================================================

#17 NtAllocateVirtualMemory
Real Address: 0x80568FCA
Hook Address: 0xF7386088 [dwprot.sys]

#53 NtCreateThread
Real Address: 0x80587A3C
Hook Address: 0xF73871E0 [dwprot.sys]

#83 NtFreeVirtualMemory
Real Address: 0x805698F5
Hook Address: 0xF7386306 [dwprot.sys]

#125 NtOpenSection
Real Address: 0x805711B4
Hook Address: 0xF7385ED2 [dwprot.sys]

#180 NtQueueApcThread
Real Address: 0x8058A487
Hook Address: 0xF73872E2 [dwprot.sys]

#213 NtSetContextThread
Real Address: 0x8062E057
Hook Address: 0xF738732E [dwprot.sys]

#255 NtSystemDebugControl
Real Address: 0x8064A01B
Hook Address: 0xF7385E00 [dwprot.sys]

#277 NtWriteVirtualMemory
Real Address: 0x8057E60A
Hook Address: 0xF7386416 [dwprot.sys]

==========================================================================================================================
>>>Shadow SDT<<<
==========================================================================================================================

#460 NtUserMessageCall
Real Address: 0xBF80EE79
Hook Address: 0xF738702C [dwprot.sys]

#475 NtUserPostMessage
Real Address: 0xBF8082F2
Hook Address: 0xF7386FA0 [dwprot.sys]

#476 NtUserPostThreadMessage
Real Address: 0xBF89ED29
Hook Address: 0xF7385950 [dwprot.sys]

#483 NtUserQueryWindow
Real Address: 0xBF80A10D
Hook Address: 0xF7385878 [dwprot.sys]

#558 NtUserSwitchDesktop
Real Address: 0xBF84608E
Hook Address: 0xF7385814 [dwprot.sys]

==========================================================================================================================
>>>Kernel Notify Routines<<<
==========================================================================================================================

CreateProcess: Address 0xF739EE2C [spiderg3.sys]
Hidden Loaded Driver: False

LoadImage: Address 0xF739C45A [spiderg3.sys]
Hidden Loaded Driver: False

==========================================================================================================================
>>>Processes<<<
==========================================================================================================================

0x863C67F8 [4]SYSTEM
Suspicious: False
Hidden: False

0x860CEB78 [1032]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False

0x8621CDA0 [624]C:\WINDOWS\system32\services.exe
Suspicious: False
Hidden: False

0x8601ADA0 [144]C:\WINDOWS\system32\igfxtray.exe
Suspicious: True
Hidden: False

0x860F1570 [548]C:\WINDOWS\system32\csrss.exe
Suspicious: False
Hidden: False

0x86079528 [208]C:\WINDOWS\system32\hkcmd.exe
Suspicious: True
Hidden: False

0x86222B78 [1376]C:\WINDOWS\explorer.exe
Suspicious: False
Hidden: False

0x860B74A0 [184]C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
Suspicious: False
Hidden: False

0x860BFA08 [884]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False

0x860B84B8 [276]C:\Program Files\Nokia\Nokia Internet Modem\Wellphone2.exe
Suspicious: False
Hidden: False

0x86097DA0 [260]C:\Program Files\DrWeb\spiderml.exe
Suspicious: False
Hidden: False

0x85FCEDA0 [268]C:\Program Files\DrWeb\spideragent.exe
Suspicious: False
Hidden: False

0x85FEBBE0 [280]C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
Suspicious: False
Hidden: False

0x86073268 [1604]C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
Suspicious: False
Hidden: False

0x861C19B0 [476]C:\WINDOWS\system32\smss.exe
Suspicious: False
Hidden: False

0x8604AA08 [1696]C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
Suspicious: False
Hidden: False

0x861575D8 [988]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False

0x86236030 [580]C:\WINDOWS\system32\winlogon.exe
Suspicious: False
Hidden: False

0x860DEDA0 [636]C:\WINDOWS\system32\lsass.exe
Suspicious: False
Hidden: False

0x86155728 [1408]C:\WINDOWS\system32\spoolsv.exe
Suspicious: False
Hidden: False

0x86128950 [788]C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Suspicious: False
Hidden: False

0x86059B78 [1816]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False

0x85D90030 [3352]C:\Program Files\NoVirusThanks\Anti-Rootkit (Free Edition)\NVTArk.exe
Suspicious: False
Hidden: False

0x860126C8 [936]C:\WINDOWS\system32\wbem\wmiprvse.exe
Suspicious: False
Hidden: False

0x85FEE8C0 [1552]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False

0x860F2DA0 [1156]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False

0x860F2B10 [1240]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False

0x861BB2D8 [1320]C:\WINDOWS\system32\alg.exe
Suspicious: False
Hidden: False

0x86194778 [1912]C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
Suspicious: False
Hidden: False

==========================================================================================================================
>>>SYSENTER<<<
==========================================================================================================================

CPU #0 Hook Address: 0x804DE6F0[C:\WINDOWS\system32\ntoskrnl.exe]
Hooked: False

==========================================================================================================================
>>>Drivers<<<
==========================================================================================================================

==========================================================================================================================
>>>IDT<<<
==========================================================================================================================

==========================================================================================================================
>>>Windows Message Hooks<<<
==========================================================================================================================

Process: [548]csrss.exe
Type: WH_MSGFILTER
Address: 0x75B67406
TID: 452
Hook Module: winsrv.dll

Process: [280]AWC.exe
Type: WH_GETMESSAGE
Address: 0x0041E694
TID: 284
Hook Module: AWC.exe

==========================================================================================================================
>>>BHOs<<<
==========================================================================================================================

==========================================================================================================================
>>>AppInit_DLLs<<<
==========================================================================================================================

==========================================================================================================================
>>>IRP Hooks<<<
==========================================================================================================================

==========================================================================================================================
>>>Ring0 Export Hooks<<<
==========================================================================================================================

==========================================================================================================================
>>>Ring3 Export Hooks<<<
==========================================================================================================================

[260]spiderml.exe->kernel32.dll->SetUnhandledExceptionFilter
Real Address: 0x7C84495D
Hook Address: 0x004533E0
Hook Module: spiderml.exe
Hidden Hook Module: False


==========================================================================================================================
>>>Locked System Files<<<
==========================================================================================================================

==========================================================================================================================
>>>Locked Generic Files<<<
==========================================================================================================================

==========================================================================================================================
>>>Master Boot Record (MBR)<<<
==========================================================================================================================

Master Boot Record (MBR) appears to be Ok...

==========================================================================================================================
Scan Complete... 7.1.2011 13:38:38
==========================================================================================================================

I dont know what to say about that report. Most are entries are from dr.web antivirus. There also seems to be couple that it detects as suspicious at lest other of them is from intel corporation. Maybe i scan my computer with fsecure easyclean to see if it finds anything. I just dont know could it be that my computer is not infected after all? I just dont know what to think about all these malware things.

 

[shelf life]

could it be that my computer is not infected after all?

Well, luckily most malware will produce symptoms on a computer, the popular TDL family of rootkits symptoms are web page redirection. This is very obvious to a user.
All AV/antimalware are capable of false positives, or possibly finding other items one scanner didnt find. Thats why you should use 2 or 3 antimalware apps. You have at least Malwarebytes and Superantispyware. We also ran combofix (good for all kinds of malware)TDSSkiller (For TDL family of rootkits), Rootkit Unhooker (rootkits in general) plus the rootkit tool you ran and you did a online scan.
Surely a infection would have been picked up by these in some shape or form.

 

[loser]

Well, luckily most malware will produce symptoms on a computer, the popular TDL family of rootkits symptoms are web page redirection. This is very obvious to a user.
All AV/antimalware are capable of false positives, or possibly finding other items one scanner didnt find. Thats why you should use 2 or 3 antimalware apps. You have at least Malwarebytes and Superantispyware. We also ran combofix (good for all kinds of malware)TDSSkiller (For TDL family of rootkits), Rootkit Unhooker (rootkits in general) plus the rootkit tool you ran and you did a online scan.
Surely a infection would have been picked up by these in some shape or form.

I have been scanned with allmost all free scanners and couple of paid ones and nothing have been found. Couple days ago i dumped the explorer.exe with rku and scanned it in virustotal and it was detected by Quicheal as TrojanDownloader.Geral.ske then i submitted it to clamav for analysis and now it is detected by clamav as Trojan.Backdoor.Bot-1 http://www.virustotal.com/file-scan/report.html?id=37397f5f5e79e494ad3b7c8ff7f79c41a3379685f6077557aae46ac01fab09b2-1294484246

It does not help me much though because if the malware is memory resident and scanners detect only the actual file in the hard-disk. If there only would be a scanner that would detect it in the computers memory and be able to clean it. Maybe i should still try to scan with clamav and see if it finds anything. If theres a virus in my computer it must be memory resident and hiding quite well but i doubt it.

:rotfl:

 

[shelf life]

I can think of only on AV that dosn't scan resident memory and thats ClamAv, which is a on demand scanner. I dont recognize anything in any of the logs. I cant believe something would slip by all the tools that we used and the ones you ran yourself. Theres just no consistency or anything common between all the results (logs). All I can go by is the logs that one posts. A few random positives at virustotal and really nothing in the other tools wont convince me. However its your machine and if you dont feel comfortable using it then I would suggest a reformat reinstall of the Windows OS.

 

[loser]

I can think of only on AV that dosn't scan resident memory and thats ClamAv, which is a on demand scanner. I dont recognize anything in any of the logs. I cant believe something would slip by all the tools that we used and the ones you ran yourself. Theres just no consistency or anything common between all the results (logs). All I can go by is the logs that one posts. A few random positives at virustotal and really nothing in the other tools wont convince me. However its your machine and if you dont feel comfortable using it then I would suggest a reformat reinstall of the Windows OS.

I am pretty sure that it's clean too. So i am not going to reinstall windows. Thanks for all the help and peace. We should consider this case solved.