0

1 at first my comp's firewall kept turning off and lagging insanely and if it did, it would "not send error/send error" thing would pop up everywhere, and while doing nothing, like as if i was typing in notepad, avast would pop up and block a "trojan horse" or malware, this was all. sometimes it would also turn off my antivirus

2 i removed some of it, and the firewall no longer closes itself, neither do the antiviruses i keep finding "(random letters)tssd.exe" in my task manager and i close them.

3 during all this time, whenever i surf the web, it will add random tabs to ad sites like "home decor" "games" etc, but before whenever i clicked on anything like a youtube video, it would send me to a random ad site, but now, it just adds tabs instead of redirecting me. sometimes the malware is powerful enough to block everything i do, i "ctrl alt delte" for task manager, i see the load hourglass, then it never pops up, i double click any program none wil open, start button wont come up, nothing will happen, its like everything is locked down except for my mouse and the ability to highlight things.

4 these symptoms have happened for about a month, i deleted some files i recently put on my computer lately that i suspect for having malware, i have some videos (movies/episodes) on my comp.

5 my computer lags, ads pop up in tabs, and i dont like the lockdown mode that happens

plzz helpp

MALWARE BYTES LOG:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4223

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/21/2010 10:32:03 PM
mbam-log-2010-06-21 (22-32-03).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 160059
Time elapsed: 20 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER ONE:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-21 21:36:27
Windows 5.1.2600 Service Pack 2
Running: nxg6jws3.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kflyyfog.sys


---- System - GMER 1.0.15 ----

SSDT splm.sys ZwEnumerateKey [0xF7335DA4]
SSDT splm.sys ZwEnumerateValueKey [0xF7336132]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF41E3AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF41E38EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF41E3A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Ntfs \Ntfs 86F781F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdir.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86D0ED01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

GMER TWO:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-21 21:43:04
Windows 5.1.2600 Service Pack 2
Running: nxg6jws3.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kflyyfog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF41D6C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF41D6B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF41D70EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF41D7014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF41D670C]
SSDT splm.sys ZwEnumerateKey [0xF7335DA4]
SSDT splm.sys ZwEnumerateValueKey [0xF7336132]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF41D6C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF41D664C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF41D66B0]
SSDT splm.sys ZwQueryKey [0xF733620A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF41D6D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF41D71B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF41D6CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF41D6E70]

INT 0x62 ? 86F79BF8
INT 0x74 ? 86F48F00
INT 0x82 ? 86F79BF8
INT 0x83 ? 86F79BF8
INT 0x84 ? 86F48F00
INT 0xA4 ? 86F48F00
INT 0xB4 ? 86F48F00

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF41E3AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF41E38EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF41E3A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Ntfs \Ntfs 86F781F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\sptd \Device\882943476 splm.sys
Device \Driver\usbohci \Device\USBPDO-0 86F421F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FBF1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86FBF1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86FBF1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86FBF1F8
Device \Driver\usbohci \Device\USBPDO-1 86F421F8
Device \Driver\usbohci \Device\USBPDO-2 86F421F8
Device \Driver\usbehci \Device\USBPDO-3 86D821F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F7A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86F7A1F8
Device \Driver\Cdrom \Device\CdRom0 86E81480
Device \Driver\Cdrom \Device\CdRom1 86E81480
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86F791F8
Device \Driver\atapi \Device\Ide\IdePort0 86F791F8
Device \Driver\atapi \Device\Ide\IdePort1 86F791F8
Device \Driver\atapi \Device\Ide\IdePort2 86F791F8
Device \Driver\atapi \Device\Ide\IdePort3 86F791F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 867C21F8
Device \Driver\PCI_PNP2226 \Device\0000004b splm.sys
Device \Driver\NetBT \Device\NetbiosSmb 867C21F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdir.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{F51678FD-A28D-4CB8-8132-17FC09E3AA04} 867C21F8
Device \Driver\usbohci \Device\USBFDO-0 86F421F8
Device \Driver\usbohci \Device\USBFDO-1 86F421F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 867BC1F8
Device \Driver\usbohci \Device\USBFDO-2 86F421F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 867BC1F8
Device \Driver\usbehci \Device\USBFDO-3 86D821F8
Device \Driver\Ftdisk \Device\FtControl 86F7A1F8
Device \Driver\axkpilwq \Device\Scsi\axkpilwq1Port4Path0Target0Lun0 86D761F8
Device \Driver\axkpilwq \Device\Scsi\axkpilwq1 86D761F8
Device \FileSystem\Cdfs \Cdfs 8674E1F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 86D0ED01

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xD3 0xBB 0xF2 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x58 0x7A 0xB0 0xCF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4F 0x5C 0x3B 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF9 0xE1 0xE9 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x58 0x7A 0xB0 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0B 0x3D 0xB6 0x86 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF9 0xE1 0xE9 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x58 0x7A 0xB0 0xCF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0B 0x3D 0xB6 0x86 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


HIJACKTHIS:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:58 AM, on 6/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\These Files\Utilities\Power ISO\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\User\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5064 bytes


DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 22:34:42.39 on 06/21/2010 Mon
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.1023.604 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Connection Wizard,ShellNext = hxxp://support.asus.com/download/download.aspx?SLanguage=en-us
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WeatherEye] c:\documents and settings\user\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PWRISOVM.EXE] d:\these files\utilities\power iso\poweriso\PWRISOVM.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\vqrz874w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\vqrz874w.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\vqrz874w.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-5-14 164048]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-15 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-15 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-15 242896]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-14 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-15 308064]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\locals~1\temp\mvm36.tmp --> c:\docume~1\user\locals~1\temp\MVM36.tmp [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-21 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-6-3 27136]

=============== Created Last 30 ================

2010-06-22 05:10:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-22 05:10:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-22 05:10:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 01:42:32 0 d-----w- c:\program files\Trend Micro
2010-06-18 00:36:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-16 03:05:04 0 d--h--w- C:\$AVG
2010-06-16 02:56:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-16 02:55:59 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-16 02:55:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-16 02:55:45 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-16 02:52:47 0 d-----w- c:\program files\AVG
2010-06-13 11:15:28 0 d-----w- c:\program files\DAEMON Tools Lite
2010-06-13 11:04:53 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-09 06:15:22 0 d-----w- C:\Autoruns
2010-06-09 03:07:21 3656616 ----a-w- c:\windows\system32\GameMon.des
2010-06-09 03:07:13 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2010-06-09 03:07:13 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-06-09 03:07:09 0 d-----w- c:\program files\common files\INCA Shared
2010-06-08 08:51:53 47 ----a-w- c:\windows\wininit.ini
2010-06-06 05:18:08 5702 ---ha-w- c:\windows\nod32restoretemdono.reg
2010-06-06 05:18:08 568 ---ha-w- c:\windows\nod32fixtemdono.reg
2010-06-06 05:12:43 0 d-----w- c:\program files\ESET
2010-06-04 06:59:55 0 d-----w- c:\windows\pss
2010-06-04 06:53:43 0 d-----w- c:\docume~1\user\applic~1\Uniblue
2010-06-04 05:44:12 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-04 05:37:46 0 d-----w- c:\program files\Lavasoft
2010-06-04 05:34:40 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 05:34:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-04 00:44:41 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-06-03 08:15:20 0 ----a-w- c:\windows\system32\Access.dat
2010-06-03 08:03:38 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-06-02 00:28:12 0 d-----w- c:\windows\system32\NtmsData
2010-06-02 00:07:06 0 d-----w- c:\temp\photosmart
2010-06-02 00:07:06 0 d-----w- C:\temp
2010-05-30 01:35:31 0 d-----w- c:\docume~1\user\applic~1\Tunngle
2010-05-30 01:35:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Tunngle
2010-05-28 08:59:32 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-05-28 08:58:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-28 04:29:37 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-28 04:25:14 437 --s-a-w- c:\windows\system32\101266675.dat
2010-05-27 05:45:35 0 d-----w- c:\documents and settings\user\dwhelper

==================== Find3M ====================

2010-06-22 03:08:16 45 ----a-w- c:\documents and settings\user\jagex_runescape_preferences.dat
2010-06-22 03:02:41 41 ----a-w- c:\documents and settings\user\jagex__preferences3.dat
2010-06-22 03:00:26 87 ----a-w- c:\documents and settings\user\jagex_runescape_preferences2.dat
2010-06-21 09:46:52 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-21 09:42:19 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-28 05:12:02 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-28 06:17:07 138056 ----a-w- c:\docume~1\user\applic~1\PnkBstrK.sys
2010-04-28 06:16:40 2427248 ----a-w- c:\windows\system32\pbsvc_heroes.exe

============= FINISH: 22:35:38.50 ===============

7
Contributors
32
Replies
33
Views
7 Years
Discussion Span
Last Post by jholland1964
0

i think i tried to remove things in regedit, and some other stuff, but i dont kno wut u mean by "win.ini"

0

why are you running two anti virus programs a definite no no pick the one you want to keep then completely remove the other. two av's confuse the system. then sit tight and some one better at these logs than me will be along. Later---

0

ok, i removed avast, but it was blocking some viruses almost daily, while i was on my desktop, no programs open, so, ya, i feel my comp very vulnerable now, sombody plz help, im afraid that the virus will block me from going on this site, and i have som provincials coming up, so, ya, i wanna get rid of these viruses ASAP

0

1 more thing to add ive never had "userinit.exe" during start up, but now it pops up on task manager during start up, so, ya removing avast removed my really good live shield, it just sucked @ removing viruses and scanning, it was also incompatible with other stuff, i need help quick.

0

this also pops up and then crazy lag comes after
something like that in a window:

Click on ok terminate the program. Click on cancel to debug program ... the instruction at "0x00000000" referenced memory at "0x00000000"

0

Best option is to format your system drive. Once your system is massively infected with malware, trojan - you cannot truly recover. Even if you do it would be temporary.

0

the thing is, i dont kno how to reinstall windows, if i could reformat, i would, but i dont kno where my windows install disk is

0

well this is probably a silly question but I have to ask..
are you running any of your antiviruses in safe mode?

0

do i have to do all that in safe mode? btw sometimes this virus changes my skin from like the "blue bubbly skin of XP" to the old "windows 98 gray squareish" skin for the windows and the toolbar with start button

0

now, when those ads tab themselves into my browser, it automatically before it reaches the page goes to google.com which is my homepage

0

microsoft malicious software removal removed this "Virus:Win32/Alureon.H"

0

Hello, one of your biggest problems is you are not sticking with this. You began this thread 8 days ago. 5 days ago Biker told you to begin with fresh running of the tools in the Read Me sticky and finally this morning you post the info that
microsoft malicious software removal removed "Virus:Win32/Alureon.H"

There is no way you are going to get this machine cleaned if you don't stick with the clean up until it is complete. In this 8 day period have you done anything else on the computer or has it been sitting turned off? That would be the only way that the infection would have stopped spreading, if the computer was not used at all and not online.

These tools should be run in NORMAL mode unless I tell you otherwise. There is no reason to run a tool in safe mode unless it is impossible to run them in normal mode.

Please do the following, update Malwarebytes' Anti-Malware. Then run a Full Scan with it. Have it Remove Everything found and reboot the computer.

Then run the ESET Online scanner.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Again, reboot the computer.

Next download HiJackThis and run a system scan with it. Save the log. Post back here with the Malwarebytes' Anti-Malware log, the ESET log and the HiJackThis log.

I stress again, do NOTHING else on the computer until it is pronounced fully clean.
Judy

Edited by jholland1964: n/a

0

- MBAM LOG

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4262

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/30/2010 6:06:50 PM
mbam-log-2010-06-30 (18-06-50).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 162605
Time elapsed: 20 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Application Data\Bitrix Security\ysloiyiy6.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.


- ESET ONLINE SCANNER LOG

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=357bd1ca2729114888af236fa9ed270f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-01 01:51:38
# local_time=2010-06-30 06:51:38 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 203884 203884 0 0
# compatibility_mode=1024 16777215 100 0 368821 368821 0 0
# compatibility_mode=1797 16775141 100 93 0 36921481 124485 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=41747
# found=0
# cleaned=0
# scan_time=1929


- HIJACKTIHS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:51 PM, on 6/30/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\These Files\Utilities\Power ISO\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\User\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4421 bytes

0

i keep finding "(random letters)tssd.exe" in my task manager and i close them. . . . .

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-21 21:36:27
Windows 5.1.2600 Service Pack 2
Running: nxg6jws3.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kflyyfog.sys

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Sorry for the delay and runaround - we have very few regular volunteers these days.

I suggest getting right to business:

Please download TDSSKiller.zip and Extract TDSSKiller.exe from the ZIP to your Desktop.
-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. If you get a Hidden service detected message, DO NOT take any action. Just press ENTER and allow the tool to continue.

Likewise, TDSSKiller may tell you a Reboot is necessary for the cure to take effect. Press “Y” or Enter when prompted to do so.

Once it finishes, please post the C:\LogIt.txt for us. Let's see if the MSRT missed anything....

Cheers :)
PP

Edited by PhilliePhan: n/a

0

00:54:12:625 0784 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
00:54:12:625 0784 ================================================================================
00:54:12:625 0784 SystemInfo:

00:54:12:625 0784 OS Version: 5.1.2600 ServicePack: 2.0
00:54:12:625 0784 Product type: Workstation
00:54:12:625 0784 ComputerName: USER-49EF0C73D0
00:54:12:625 0784 UserName: User
00:54:12:625 0784 Windows directory: C:\WINDOWS
00:54:12:625 0784 System windows directory: C:\WINDOWS
00:54:12:625 0784 Processor architecture: Intel x86
00:54:12:625 0784 Number of processors: 1
00:54:12:625 0784 Page size: 0x1000
00:54:12:640 0784 Boot type: Normal boot
00:54:12:640 0784 ================================================================================
00:54:14:218 0784 Initialize success
00:54:14:234 0784
00:54:14:234 0784 Scanning Services ...
00:54:14:640 0784 Raw services enum returned 321 services
00:54:14:656 0784
00:54:14:656 0784 Scanning Drivers ...
00:54:15:484 0784 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:54:15:515 0784 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
00:54:15:593 0784 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys
00:54:15:625 0784 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
00:54:15:671 0784 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
00:54:15:765 0784 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:54:15:796 0784 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:54:15:828 0784 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:54:15:875 0784 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:54:15:921 0784 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
00:54:15:968 0784 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
00:54:15:984 0784 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
00:54:16:000 0784 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:54:16:109 0784 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:54:16:156 0784 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:54:16:203 0784 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
00:54:16:281 0784 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:54:16:343 0784 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
00:54:16:375 0784 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
00:54:16:421 0784 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
00:54:16:437 0784 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:54:16:453 0784 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
00:54:16:484 0784 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
00:54:16:531 0784 E1000 (3044851b3c5286a908a6a4d1166328aa) C:\WINDOWS\system32\DRIVERS\e1000325.sys
00:54:16:578 0784 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
00:54:16:609 0784 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
00:54:16:625 0784 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
00:54:16:687 0784 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
00:54:16:718 0784 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
00:54:16:750 0784 FsVga (f01dd251a6725a56ba62eb2352e18d25) C:\WINDOWS\system32\DRIVERS\fsvga.sys
00:54:16:750 0784 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\fsvga.sys. Real md5: f01dd251a6725a56ba62eb2352e18d25, Fake md5: 455f778ee14368468560bd7cb8c854d0
00:54:16:750 0784 File "C:\WINDOWS\system32\DRIVERS\fsvga.sys" infected by TDSS rootkit ... 00:54:17:562 0784 Backup copy found, using it..
00:54:17:671 0784 will be cured on next reboot
00:54:17:734 0784 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:54:17:812 0784 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:54:17:921 0784 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
00:54:17:953 0784 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:54:17:984 0784 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
00:54:18:015 0784 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:54:18:046 0784 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:54:18:093 0784 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
00:54:18:171 0784 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:54:18:187 0784 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:54:18:218 0784 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
00:54:18:250 0784 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:54:18:250 0784 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:54:18:265 0784 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:54:18:281 0784 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:54:18:312 0784 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:54:18:343 0784 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:54:18:375 0784 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:54:18:390 0784 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:54:18:421 0784 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
00:54:18:453 0784 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
00:54:18:468 0784 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
00:54:18:531 0784 MidiSyn (8c7d037a53b495e7c250fd70b158b581) C:\WINDOWS\system32\drivers\MidiSyn.sys
00:54:18:578 0784 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:54:18:625 0784 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
00:54:18:687 0784 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:54:18:750 0784 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:54:18:765 0784 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
00:54:18:812 0784 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:54:18:890 0784 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:54:18:921 0784 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
00:54:18:984 0784 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:54:19:031 0784 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:54:19:046 0784 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
00:54:19:078 0784 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:54:19:125 0784 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
00:54:19:140 0784 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
00:54:19:187 0784 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
00:54:19:265 0784 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:54:19:312 0784 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:54:19:312 0784 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:54:19:343 0784 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
00:54:19:406 0784 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:54:19:437 0784 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:54:19:453 0784 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
00:54:19:515 0784 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
00:54:19:609 0784 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:54:19:890 0784 nv (406ddab2b05d94d4818e97ff050d1bc6) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
00:54:20:156 0784 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:54:20:171 0784 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:54:20:234 0784 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
00:54:20:250 0784 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
00:54:20:281 0784 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
00:54:20:328 0784 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
00:54:20:375 0784 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
00:54:20:421 0784 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:54:20:484 0784 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
00:54:20:500 0784 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:54:20:531 0784 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
00:54:20:671 0784 PnkBstrK (db7f8840c92865ca6f3d2db063a5b999) C:\WINDOWS\system32\drivers\PnkBstrK.sys
00:54:20:687 0784 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:54:20:703 0784 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
00:54:20:718 0784 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
00:54:20:750 0784 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:54:20:812 0784 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:54:20:828 0784 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:54:20:843 0784 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:54:20:843 0784 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:54:20:875 0784 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:54:20:906 0784 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:54:20:937 0784 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:54:20:968 0784 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
00:54:21:046 0784 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:54:21:078 0784 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
00:54:21:125 0784 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:54:21:171 0784 senfilt (bb596a578330ad794c6769b588af6bb4) C:\WINDOWS\system32\drivers\senfilt.sys
00:54:21:234 0784 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
00:54:21:250 0784 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
00:54:21:265 0784 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:54:21:328 0784 smwdm (0d7efa9d5bac36ea49940a8ead9990b5) C:\WINDOWS\system32\drivers\smwdm.sys
00:54:21:359 0784 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
00:54:21:406 0784 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
00:54:21:406 0784 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
00:54:21:453 0784 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
00:54:21:484 0784 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
00:54:21:531 0784 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
00:54:21:562 0784 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:54:21:578 0784 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
00:54:21:625 0784 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
00:54:21:656 0784 tap0901t (b7aee68d2e867cbf69b649b18fcedbbb) C:\WINDOWS\system32\DRIVERS\tap0901t.sys
00:54:21:687 0784 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:54:21:734 0784 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:54:21:796 0784 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
00:54:21:875 0784 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:54:21:921 0784 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
00:54:21:968 0784 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
00:54:22:015 0784 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:54:22:031 0784 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:54:22:046 0784 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:54:22:062 0784 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
00:54:22:093 0784 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:54:22:140 0784 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
00:54:22:171 0784 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
00:54:22:234 0784 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:54:22:265 0784 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
00:54:22:281 0784 Reboot required for cure complete..
00:54:22:625 0784 Cure on reboot scheduled successfully
00:54:22:625 0784
00:54:22:625 0784 Completed
00:54:22:625 0784
00:54:22:625 0784 Results:
00:54:22:625 0784 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:54:22:625 0784 File objects infected / cured / cured on reboot: 1 / 0 / 1
00:54:22:625 0784
00:54:22:625 0784 KLMD(ARK) unloaded successfully

0

TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
00:54:22:625 0784 Results:
00:54:22:625 0784 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:54:22:625 0784 File objects infected / cured / cured on reboot: 1 / 0 / 1

Great - That should have helped.

In this case, I'd like to go with another step as well:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for us.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Cheers :)
PP

0

ComboFix 10-07-01.02 - User 1/2010 Thu 20:19:01.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.1023.696 [GMT -7:00]
執行位置: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

注意 - 這台電腦沒有安裝恢復控制台 !!
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\101266675.dat

.
((((((((((((((((((((((((( 2010-06-02 至 2010-07-02 的新的檔案 )))))))))))))))))))))))))))))))
.

2010-07-01 11:59 . 2010-07-01 11:59 -------- d-sh--w- c:\documents and settings\User\IETldCache
2010-07-01 11:52 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-01 11:51 . 2010-07-01 11:52 -------- dc-h--w- c:\windows\ie8
2010-07-01 11:36 . 2010-07-01 11:36 -------- d-----w- c:\windows\ServicePackFiles
2010-07-01 11:12 . 2010-07-01 11:24 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-07-01 11:10 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-01 11:10 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-07-01 11:10 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-07-01 11:09 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-07-01 11:08 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-07-01 11:08 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-07-01 11:08 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-07-01 11:01 . 2010-07-01 21:37 -------- d--h--w- c:\windows\$hf_mig$
2010-06-30 13:41 . 2010-06-30 13:41 -------- d-----w- C:\6d6fec24c587bb10b8c9b7edce9b
2010-06-29 19:08 . 2010-06-29 19:08 -------- d-----w- c:\documents and settings\User\Application Data\Bitrix Security
2010-06-29 19:07 . 2010-06-29 19:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security
2010-06-28 05:11 . 2010-06-28 05:11 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2010-06-25 07:04 . 2010-06-25 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-25 07:04 . 2010-06-25 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-25 07:04 . 2010-06-25 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-25 06:22 . 2010-06-25 06:22 -------- d-----w- c:\windows\system32\Adobe
2010-06-25 05:28 . 2010-06-25 05:28 -------- d-----w- C:\8fe27ed9d9a8cc5e305f66db0ccf14ac
2010-06-25 05:06 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-25 05:06 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-25 05:06 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-25 05:06 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-25 05:06 . 2010-06-25 05:06 -------- d-----w- c:\program files\Avira
2010-06-25 05:06 . 2010-06-25 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-06-22 05:10 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-22 05:10 . 2010-06-22 05:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 05:10 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-22 01:42 . 2010-06-22 01:42 -------- d-----w- c:\program files\Trend Micro
2010-06-22 01:11 . 2010-06-24 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\tydiqncxy
2010-06-20 08:09 . 2010-06-20 08:09 71536 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-20 05:57 . 2010-06-20 06:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ijmxklmrf
2010-06-18 00:36 . 2010-06-18 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-16 02:52 . 2010-06-16 02:52 -------- d-----w- c:\program files\AVG
2010-06-13 11:15 . 2010-06-13 11:15 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-06-13 11:04 . 2010-06-13 11:15 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-09 06:15 . 2010-06-09 06:15 -------- d-----w- C:\Autoruns
2010-06-09 03:07 . 2005-01-01 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-06-09 03:07 . 2010-06-09 03:07 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-06-08 07:32 . 2010-06-08 07:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-06-08 06:29 . 2010-06-08 06:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-06-08 06:01 . 2010-06-08 06:01 71536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-08 06:00 . 2010-06-08 06:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-06-08 05:36 . 2010-06-08 05:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-06 05:18 . 2008-03-04 01:21 568 ---ha-w- c:\windows\nod32fixtemdono.reg
2010-06-06 05:18 . 2008-03-03 21:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg
2010-06-06 05:12 . 2010-07-01 01:17 -------- d-----w- c:\program files\ESET
2010-06-06 05:12 . 2010-06-06 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-06-04 10:40 . 2010-06-05 05:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\fsacaalvt
2010-06-04 06:53 . 2010-06-04 06:53 -------- d-----w- c:\documents and settings\User\Application Data\Uniblue
2010-06-04 05:44 . 2010-06-04 05:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-04 05:37 . 2010-06-09 02:11 -------- d-----w- c:\program files\Lavasoft
2010-06-04 05:37 . 2010-06-09 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-04 05:34 . 2010-06-17 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 05:34 . 2010-06-17 08:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-03 08:15 . 2010-06-03 08:15 0 ----a-w- c:\windows\system32\Access.dat
2010-06-03 08:03 . 2009-09-16 14:02 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 21:24 . 2010-03-10 07:59 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-01 21:16 . 2010-03-10 07:56 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-01 07:55 . 2001-08-17 13:57 12160 ----a-w- c:\windows\system32\drivers\fsvga.sys
2010-06-29 19:07 . 2009-11-24 07:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-27 06:51 . 2009-06-18 07:57 46 ----a-w- c:\documents and settings\User\jagex_runescape_preferences.dat
2010-06-26 10:30 . 2010-04-01 01:58 41 ----a-w- c:\documents and settings\User\jagex__preferences3.dat
2010-06-26 10:26 . 2009-09-02 23:22 99 ----a-w- c:\documents and settings\User\jagex_runescape_preferences2.dat
2010-06-18 00:41 . 2009-05-15 03:59 -------- d-----w- c:\program files\Alwil Software
2010-06-18 00:16 . 2009-05-18 00:17 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-06-15 02:57 . 2009-11-11 12:50 -------- d-----w- c:\documents and settings\User\Application Data\Uzvyw
2010-06-07 01:31 . 2009-11-08 00:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-06-03 08:27 . 2010-05-30 01:35 -------- d-----w- c:\documents and settings\User\Application Data\Tunngle
2010-06-01 01:24 . 2010-06-01 01:24 48388 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-06-01 01:24 . 2010-04-03 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-05-30 01:35 . 2010-05-30 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Tunngle
2010-05-28 08:59 . 2010-05-28 08:59 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-05-28 08:58 . 2010-05-28 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-28 05:12 . 2010-03-10 06:27 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-28 04:29 . 2010-05-28 04:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-28 04:25 . 2010-05-28 04:25 4 ----a-w- c:\documents and settings\NetworkService\Application Data\ovczpx.dat
2010-05-12 22:27 . 2010-05-12 08:13 -------- d-----w- c:\documents and settings\User\Application Data\Ventrilo
2010-05-12 08:11 . 2010-03-09 18:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-11 09:09 . 2009-05-15 04:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 02:43 . 2010-05-03 04:04 -------- d-----w- c:\documents and settings\User\Application Data\Mumble(PR Edition)
2010-05-02 05:56 . 2004-08-04 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 06:17 . 2010-04-28 06:17 138056 ----a-w- c:\documents and settings\User\Application Data\PnkBstrK.sys
2010-04-28 06:17 . 2010-04-28 06:17 138056 ----a-w- c:\documents and settings\User\Application Data\PnkBstrK.sys
2010-04-28 06:16 . 2010-04-28 06:16 2427248 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-04-28 05:31 . 2010-04-28 05:31 85504 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-04-25 23:12 . 2010-04-25 23:12 77312 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.72.0A.dll
2010-04-20 05:51 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 08:44 . 2010-04-12 08:44 59388 ----a-w- c:\windows\system32\drivers\scdemu.sys
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\documents and settings\User\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-27 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="d:\these files\Utilities\Power ISO\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-07-27 15:38 133104 ----atw- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 23:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 08:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 07:30 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 07:31 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2004-09-23 20:41 860160 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 17:11 1388544 ------w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Torrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Apps\\2.0\\D9ANM424.GKX\\3LODVQVE.MQT\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"d:\\These Files\\Games\\Garena\\Garena.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\User\\Desktop\\BF2\\EA GAMES\\Battlefield 2\\BF2.exe"=
"d:\\These Files\\Games\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\These Files\\Games\\Battlefield\\BF2VoipServer.exe"=
"d:\\These Files\\Games\\Battlefield\\BF2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\These Files\\Games\\Gunbound\\softnyx\\GunboundS2\\GunBound.gme"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/24/2010 10:06 PM 135336]
S1 MpKsl15ca1011;MpKsl15ca1011;\??\c:\windows\system32\MpEngineStore\MpKsl15ca1011.sys --> c:\windows\system32\MpEngineStore\MpKsl15ca1011.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\User\LOCALS~1\Temp\MVM36.tmp --> c:\docume~1\User\LOCALS~1\Temp\MVM36.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [6/3/2010 1:03 AM 27136]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2010 4:04 AM 691696]
.
‘計劃任務’ 文件夾 裡的內容

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-2025429265-839522115-1003Core1cac6561a13bd0e.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-27 15:38]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-2025429265-839522115-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-27 15:38]

2010-07-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-07-01 05:18]
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Connection Wizard,ShellNext = hxxp://support.asus.com/download/download.aspx?SLanguage=en-us
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\vqrz874w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\vqrz874w.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\vqrz874w.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- 火狐配置文件 ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 20:22
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\User\LOCALS~1\Temp\MVM36.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
完成時間: 2010-07-01 20:23:43
ComboFix-quarantined-files.txt 2010-07-02 03:23

Pre-Run: 83,497,480,192 bytes free
Post-Run: 83,698,532,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe

- - End Of File - - D6A72FF27AC1C29DE659F530B31C569A

0

btw, some of my things are in chinese, how do i make my whole thing english only?

0

I was just going to ask you...why the Chinese? I have never seen this before in a combofix log. Where did you download combofix from?

Edited by jholland1964: n/a

0

same site as mentioned, but my default fundamental settings are chinese or somthing, a lot of other basic things are chinese. i need help changing it, i had a hard time reading the instructions, luckily i read the instructions beforehand on the site carefully like said. LOL

0

same site as mentioned, but my default fundamental settings are chinese or somthing, a lot of other basic things are chinese. i need help changing it, i had a hard time reading the instructions, luckily i read the instructions beforehand on the site carefully like said. LOL

That is bizarre.

Let's first remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK


-- Did you check in Control Panel > Language&Region Options? Maybe you can change it there?

I will be away much of the weekend - will try to check back as time permits. Judy may be around to offer a suggestion or two....

Cheers :)
PP

0

it was the unicode things that were in chinese, i got in english now, thanks

0

Update MBA-M and run another Full Scan with it. Allow it to remove everything found. Reboot the system.
Then run a new HJT scan, post back with both logs.
Judy

0

- MBA-M

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4272

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/3/2010 1:42:17 PM
mbam-log-2010-07-03 (13-42-17).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 174562
Time elapsed: 29 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


- HiJackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:06 PM, on 7/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.asus.com/download/download.aspx?SLanguage=en-us
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\These Files\Utilities\Power ISO\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\User\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\These Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5338 bytes

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.