0

However, i'd like to go back and state all of my problems prior.

I got two versions of the "windows xp" spyware virus that pretends to scan your computer initially.

I managed to get rid of both by figuring out the process tree and ending them, then using avg to quarantine em.

from then on, I started to have more issues.

My first big sign is that I would restart my computer, and windows xp professional would stall upon loading my backround screen. no taskbar, desktop icons.. and the computer sounded like it was working hard.

I downloaded Bitdefender, used it for 3 days maybe? it seemed to do more harm than good as i started getting redirected everytime i surfed the web, uninstalled and things went back to normal.

however, the stalling continued. I ran msconfig and disabled most things upon start up.

This is where the taskbar greying began, and losing my sound in winamp intially, then further, on the computer.

i scanned with malwarebytes, got rid of like 20 infections and got nowhere.

since then, ive done a whole random assortment of trying to get my audio back which is working for now (seemed i had a conflict with my ATI vs Realtek audio preferences) but the minute the taskbar goes grey, i lose audio anyway.

so I went to your readme first and downloaded all of the software required to proceed.

have run windows xp malware (clean) ran ATF (emptied) and have a log from GMER:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit quick scan 2011-05-17 22:04:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3500320AS rev.SD15
Running: g6thnxfy.exe; Driver: C:\DOCUME~1\ADMINI~1.EXP\LOCALS~1\Temp\pwryqfow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- System - GMER 1.0.15 ----

SSDT spyv.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spyv.sys ZwEnumerateValueKey [0xB7ECE132]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B00333B
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B00333B
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8B00333B
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8B00333B
Device \Driver\atapi \Device\Ide\IdePort3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8B00333B
Device \Driver\atapi \Device\Ide\IdePort4 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8B00333B
Device \Driver\atapi \Device\Ide\IdePort5 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T1L0-16 8B00333B
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-16 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-e 8B00333B
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\aaguzzmj \Device\Scsi\aaguzzmj1Port6Path0Target1Lun0 8AE9D248
Device \Driver\aaguzzmj \Device\Scsi\aaguzzmj1Port6Path0Target0Lun0 8AE9D248
Device \Driver\aaguzzmj \Device\Scsi\aaguzzmj1 8AE9D248
Device \Driver\adu1hjao \Device\Scsi\adu1hjao1 8ADC11F8
Device \FileSystem\Ntfs \Ntfs 8B1491F8
Device \FileSystem\Fastfat \Fat 8ACDC1F8

---- EOF - GMER 1.0.15 ----


Didnt want to make any moves forward any further without some discussion.

All help is appreciated in advance. (I'd buy you all a round if I could for the selflessness)

3
Contributors
28
Replies
29
Views
6 Years
Discussion Span
Last Post by jholland1964
0

You said you completed the steps in the Read Me sticky, there should be more logs to post, the MBA-M log, the two DDS logs and the GMER log #2. All should be copy/pasted.
You stated that you had AVG on the computer and then you installed Bit Defender, did you UNINSTALL AVG first? If not, you should have done so. The absolute rule is ONE anti-virus program should be run at a time on the computer. More than one can cause major problems.
AVG would NOT have removed the Fake Alert infections, it is not configured to do so. Those are trojans, most anti-virus programs are not set up to do so. They can remove other viruses brought in by these trojans but cannot remove the trojans themselves.
We need to see the MBA-M log that removed infections, also the AVG log if one is available. You also need to run the DDS Scanner and post both of the logs it will give you. You also need to post the second log produced by GMER.

Edited by jholland1964: n/a

0

If you had simply used Malwarebites, to remove the Malware you had, you wouldn't have this problem..

Listen to Jholland.

Edited by Portgas D. Ace: n/a

0

I did use malware bytes, and it did nothing to the issue. but i will proceed as instructed. I will remove avg, and run another malwatebytes scan and the others as well.

0

Malwarebytes' is just ONE of the necessary steps we require. There is NO magic bullet to remove these infections, most require many steps for removal.
The choice is yours, if you truly want assistance then you should follow the steps, if you don't feel that you want to follow all the requested steps then please say so that valuable time is not wasted.

I am going to post again exactly what we require ALL posters to do in order to receive assistance:
You must follow all of the steps given in the Read Me Sticky.

In order for the few volunteers who offer a bit of their free time and expertise in this forum to assist you in a timely manner, please adhere to our rules and complete the following steps before posting a request for help:

When you post your request for assistance, please be sure to submit (Copy & Paste, not as an attachment unless requested) these requested scanlogs:

• MalwareBytes’ Anti-Malware log
• GMER One.log and GMER Two.log
• BOTH DDS ScanLogs (DDS.txt & Attach.txt)

People may feel this is unnecessary, we would not make these requests if the logs weren't necessary for us to see. These logs will show us what infections were or are present. They help us make decisions what additional steps will need to be taken to remove the infections.

Edited by jholland1964: n/a

0

gmer # 2 log

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-18 01:15:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3500320AS rev.SD15
Running: g6thnxfy.exe; Driver: C:\DOCUME~1\ADMINI~1.EXP\LOCALS~1\Temp\pwryqfow.sys


---- Kernel code sections - GMER 1.0.15 ----

? spyv.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB6CA1000, 0x2131F7, 0xE8000020]
.text USBPORT.SYS!DllUnload B6C5B8AC 5 Bytes JMP 8ADF61D8
.text adu1hjao.SYS B6BBA386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text adu1hjao.SYS B6BBA3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text adu1hjao.SYS B6BBA3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text adu1hjao.SYS B6BBA3C9 1 Byte [2E]
.text adu1hjao.SYS B6BBA3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text aaguzzmj.SYS B6B55384 1 Byte [20]
.text aaguzzmj.SYS B6B55384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text aaguzzmj.SYS B6B553AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text aaguzzmj.SYS B6B553C4 3 Bytes [00, 00, 00]
.text aaguzzmj.SYS B6B553C9 1 Byte [00]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[2304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\Explorer.EXE[2304] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\Explorer.EXE[2304] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D6000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2948] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 016D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2948] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 016E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2948] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0167000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B1491F8
Device \FileSystem\Fastfat \FatCdrom 8ACDC1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B05C1015-FB47-462A-BCBA-EE3DF419EF30} 8AD751F8
Device \Driver\sptd \Device\3454808824 spyv.sys
Device \Driver\usbuhci \Device\USBPDO-0 8AEF11F8
Device \Driver\usbuhci \Device\USBPDO-1 8AEF11F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B0D91F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B0D91F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B0D91F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B0D91F8
Device \Driver\usbuhci \Device\USBPDO-2 8AEF11F8
Device \Driver\PCI_PNP5074 \Device\00000046 spyv.sys
Device \Driver\usbehci \Device\USBPDO-3 8ADE71F8
Device \Driver\PCI_PNP5074 \Device\00000047 spyv.sys
Device \Driver\usbuhci \Device\USBPDO-4 8AEF11F8
Device \Driver\usbuhci \Device\USBPDO-5 8AEF11F8
Device \Driver\sptd \Device\3454965074 spyv.sys
Device \Driver\usbuhci \Device\USBPDO-6 8AEF11F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B14B1F8
Device \Driver\usbehci \Device\USBPDO-7 8ADE71F8
Device \Driver\Cdrom \Device\CdRom0 8ADC71F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B00333B
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B00333B
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8B00333B
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8B00333B
Device \Driver\atapi \Device\Ide\IdePort3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8B00333B
Device \Driver\atapi \Device\Ide\IdePort4 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8B00333B
Device \Driver\atapi \Device\Ide\IdePort5 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T1L0-16 8B00333B
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-16 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-e 8B00333B
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8ADC71F8
Device \Driver\Cdrom \Device\CdRom2 8ADC71F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AD751F8
Device \Driver\NetBT \Device\NetbiosSmb 8AD751F8
Device \Driver\usbuhci \Device\USBFDO-0 8AEF11F8
Device \Driver\usbuhci \Device\USBFDO-1 8AEF11F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AEA6500
Device \Driver\usbuhci \Device\USBFDO-2 8AEF11F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AEA6500
Device \Driver\usbehci \Device\USBFDO-3 8ADE71F8
Device \Driver\usbuhci \Device\USBFDO-4 8AEF11F8
Device \Driver\Ftdisk \Device\FtControl 8B14B1F8
Device \Driver\usbuhci \Device\USBFDO-5 8AEF11F8
Device \Driver\usbuhci \Device\USBFDO-6 8AEF11F8
Device \Driver\usbehci \Device\USBFDO-7 8ADE71F8
Device \Driver\aaguzzmj \Device\Scsi\aaguzzmj1Port6Path0Target1Lun0 8AE9D248
Device \Driver\aaguzzmj \Device\Scsi\aaguzzmj1 8AE9D248
Device \Driver\aaguzzmj \Device\Scsi\aaguzzmj1Port6Path0Target0Lun0 8AE9D248
Device \Driver\adu1hjao \Device\Scsi\adu1hjao1 8ADC11F8
Device \FileSystem\Fastfat \Fat 8ACDC1F8
Device \FileSystem\Cdfs \Cdfs 8A8A8368

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFD 0xDA 0x56 0x1A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0x83 0x5C 0x1A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x62 0x7D 0x0F 0x6B ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x57 0xE9 0x6A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xC8 0xE1 0xEC 0xA9 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x24 0x92 0xA3 0x9E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x6B 0xF2 0x3A 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFD 0xDA 0x56 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0x83 0x5C 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x62 0x7D 0x0F 0x6B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x57 0xE9 0x6A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xC8 0xE1 0xEC 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x24 0x92 0xA3 0x9E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x6B 0xF2 0x3A 0x55 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFD 0xDA 0x56 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0x83 0x5C 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x62 0x7D 0x0F 0x6B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x57 0xE9 0x6A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xC8 0xE1 0xEC 0xA9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x24 0x92 0xA3 0x9E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x6B 0xF2 0x3A 0x55 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

0

opened DDS, it gave me the opening window.. but did nothing further, any advice?

0

Humour me then, as I tried to initiate a scan but couldnt find any window to prompt me in such a way.

0

Me[kk]A, please ignore comments by Portgas D. Ace, he obviously has NO "magic bullet" either as insults can never be mistaken for intelligence.

Now back to the business at hand, have you attempted to run DDS in Safe Mode?

I would like you to run this tool. Follow the directions exactly:

Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer
Run the TDSSKiller.exe file;
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.

The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.

If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:

Cure. This action is only available if the utility has identified the exact type of the bootkit. If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.
Skip.
Copy to quarantine. The utility quarantines the infected MBR.
Restore. The utility restores a standard MBR.

After reboot then please copy/paste the log back here.

Edited by jholland1964: n/a

Votes + Comments
When i am being Insultatious you will know. The was being Modest about my own ability nobdy elses.
Helpful, polite. Pay it forward!
0

No worries about the other guy, I'm used to keyboard warriors on the other forums I frequent =D.

I have just never delved this far into a PC, so running blind as I go along. I'm very thankful for the help.

DDS ran in safe mode. Here are both logs.

.
DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL
Run by Administrator at 19:27:33.95 on Wed 05/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
.
============== Running Processes ===============
.
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator.EXPERIEN-5C742D\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie_rsearch.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users.windows\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAA0ADMAOQAwADUANwA3ADgALQBUADIAMwAtAEsAVgAzACsANwAtAEIAQQArADEALQBYAEwAKwAxAC0ARgBQADkAMgArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0AMQAwAEIAKwAyAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA"&"prod=90"&"ver=9.0.894
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: StartMenuFavorites = 0 (0x0)
mPolicies-explorer: Start_ShowMyComputer = 1 (0x1)
mPolicies-explorer: Start_ShowMyDocs = 1 (0x1)
mPolicies-explorer: Start_ShowMyMusic = 0 (0x0)
mPolicies-explorer: Start_ShowRun = 1 (0x1)
mPolicies-explorer: Start_ShowSearch = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247761775343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1.exp\applic~1\mozilla\firefox\profiles\wug9wm07.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c6a6f83&v=6.103.018.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R? ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter
R? Ambfilt;Ambfilt
R? GEST Service;GEST Service for program management.
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? SSPORT;SSPORT
R? StarWindServiceAE;StarWind AE Service
.
=============== Created Last 30 ================
.
2072-04-03 12:13:14 607296 ------w- c:\program files\microsoft games\age of empires iii\deformerdllyD.dll
2071-07-25 08:13:30 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2011-05-17 22:03:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-17 21:26:58 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-05-17 21:26:58 359016 ----a-w- c:\windows\vncutil.exe
2011-05-17 21:26:58 129640 ----a-w- c:\windows\RtkAudioService.exe
2011-05-17 21:26:55 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-05-17 21:26:55 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-05-16 23:51:39 -------- d-----w- c:\docume~1\admini~1.exp\applic~1\Malwarebytes
2011-05-16 23:51:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 23:51:34 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-05-16 23:51:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 23:51:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 01:09:52 -------- d-----w- c:\program files\Winamp Detect
2011-05-10 01:11:10 -------- d-----w- c:\docume~1\admini~1.exp\applic~1\BitDefender
2011-05-06 03:52:59 59888 ------w- c:\windows\system32\pxwma.dll
2011-05-05 22:05:25 -------- d-----w- c:\docume~1\admini~1.exp\locals~1\applic~1\Temp
2011-05-01 03:20:23 -------- d-----w- c:\program files\MSSOAP
2011-05-01 03:02:48 -------- d-----w- c:\docume~1\admini~1.exp\applic~1\QuickScan
2011-05-01 03:02:24 -------- d-----w- c:\program files\common files\BitDefender
2011-05-01 02:55:45 626263 ----a-w- c:\docume~1\alluse~1.win\applic~1\bdinstall.bin
.
==================== Find3M ====================
.
2011-05-18 18:02:58 16608 ----a-w- c:\windows\gdrv.sys
2011-05-17 21:26:52 319488 ----a-w- c:\windows\HideWin.exe
2011-04-14 17:36:24 20053608 ----a-w- c:\windows\RTHDCPL.EXE
2011-03-04 19:44:14 133616 ------w- c:\windows\system32\pxafs.dll
2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe
2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe
2011-02-25 23:37:00 1284712 ----a-w- c:\windows\RtlExUpd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3500320AS rev.SD15 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AFCE4F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8afd47d0]; MOV EAX, [0x8afd484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B050AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x8AFE79E8]
5 ACPI[0xB7E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AFE7D98]
\Driver\atapi[0x8AFDCE50] -> IRP_MJ_CREATE -> 0x8AFCE4F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AFCE33B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:30:58.03 ===============


and the DDS Attach log

.
==== Installed Programs ======================
.
µTorrent
3D Home Architect Design Suite Deluxe 8
7-Zip 4.65
AAC Decoder
AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Lightroom 2.6
Adobe Reader 9.2
Adobe Shockwave Player 11
Apple Software Update
ATI AVIVO Codecs
ATI Catalyst Install Manager
ATI Display Driver
ATI Problem Report Wizard
AutoUpdate
BlackBerry Desktop Software 6.0
BlackBerry Device Software Updater
Brother MFL-Pro Suite
Browser Configuration Utility
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner (remove only)
CourseSmart Bookshelf
Critical Update for Windows Media Player 11 (KB959772)
Defraggler
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
Energy Saver Advance B8.0711.1
Fraps (remove only)
Free WMA to MP3 Converter 1.16
Google Earth Plug-in
Google Update Helper
GPL MPEG-1/2 DirectShow Decoder Filter
H.264 Decoder
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB895961-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 18
Java(TM) 6 Update 24
king.com (remove only)
Maintenance Samsung ML-2525W Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft SOAP Toolkit 3.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft XML Parser
MKV Splitter
Mozilla Firefox (3.5.19)
MS Access 97 SP2
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
MSXML4 Parser
Nero 7 Ultra Edition
neroxml
OpenOffice.org 3.2
PaperPort Image Printer
Picasa 3
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
ScanSoft PaperPort 11
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SimCity 3000 Unlimited
Skins
Spelling Dictionaries Support For Adobe Reader 9
Starcraft
StarCraft II
SuperMemo UX - Polish Phrase Book
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VCRedistSetup
WebFldrs XP
WinAce Archiver
Winamp
Winamp Detector Plug-in
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
WinZip 12.0
XML Paper Specification Shared Components Pack 1.0
Yahoo! Detect
.
==== End Of File ===========================


Running the TDSSkiller and will post log asap.

0

here is the TDSS killer report, I will now run Malwarebytes.

2011/05/18 19:54:55.0171 3440 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/18 19:54:57.0187 3440 ================================================================================
2011/05/18 19:54:57.0187 3440 SystemInfo:
2011/05/18 19:54:57.0187 3440
2011/05/18 19:54:57.0187 3440 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/18 19:54:57.0187 3440 Product type: Workstation
2011/05/18 19:54:57.0187 3440 ComputerName: EXPERIEN-5C742D
2011/05/18 19:54:57.0187 3440 UserName: Administrator
2011/05/18 19:54:57.0187 3440 Windows directory: C:\WINDOWS
2011/05/18 19:54:57.0187 3440 System windows directory: C:\WINDOWS
2011/05/18 19:54:57.0187 3440 Processor architecture: Intel x86
2011/05/18 19:54:57.0187 3440 Number of processors: 2
2011/05/18 19:54:57.0187 3440 Page size: 0x1000
2011/05/18 19:54:57.0187 3440 Boot type: Normal boot
2011/05/18 19:54:57.0187 3440 ================================================================================
2011/05/18 19:54:57.0500 3440 Initialize success
2011/05/18 19:54:58.0671 3468 ================================================================================
2011/05/18 19:54:58.0671 3468 Scan started
2011/05/18 19:54:58.0671 3468 Mode: Manual;
2011/05/18 19:54:58.0671 3468 ================================================================================
2011/05/18 19:54:59.0671 3468 ACPI (7517e9b5fe4811cbd7712af820028cc4) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/18 19:54:59.0703 3468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/18 19:54:59.0734 3468 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
2011/05/18 19:54:59.0781 3468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/18 19:54:59.0843 3468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/05/18 19:54:59.0968 3468 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/05/18 19:55:00.0109 3468 AsyncMac (34c951228c152a248357409cb680ce13) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/18 19:55:00.0125 3468 atapi (65ea06f8711fb3a64ec7d323e350f456) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/18 19:55:00.0250 3468 ati2mtag (26280a446727f1ad5c4cba744e07b2f0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/18 19:55:00.0296 3468 AtiHdmiService (fac04a8e09c8d70594382656d99772a3) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2011/05/18 19:55:00.0328 3468 Atmarpc (ce372a820e4f4e808b574050ec35c049) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/18 19:55:00.0390 3468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/18 19:55:00.0437 3468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/18 19:55:00.0484 3468 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2011/05/18 19:55:00.0515 3468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/18 19:55:00.0562 3468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/18 19:55:00.0671 3468 Cdfs (3a8d04c6533a344973ba5cce5be2609b) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/18 19:55:00.0703 3468 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/18 19:55:00.0828 3468 Disk (db7ba51015765db476457bedd53d3cfe) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/18 19:55:00.0875 3468 dmboot (ba1f9637c50d105fb8ebe334d57bc16e) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/18 19:55:00.0921 3468 dmio (a29d408f65291721091bc21a48ceed00) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/18 19:55:00.0968 3468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/18 19:55:01.0000 3468 DMusic (0fdc464e960b5c9665d89fe00bc972a3) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/18 19:55:01.0031 3468 drmkaud (6d5ca8474cf00a2765b6d6b35a57e89c) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/18 19:55:01.0078 3468 Fastfat (bb9c87cc84a747f68c4d0e24d5841e61) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/18 19:55:01.0125 3468 Fdc (bafd3cc668a29f5070da63469c273127) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/18 19:55:01.0140 3468 Fips (cd7388a0e1f2585d0300c9533f4de221) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/18 19:55:01.0156 3468 Flpydisk (50cd9634d0d4e6c9c6e2e8ea27f8e2f6) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/18 19:55:01.0187 3468 FltMgr (d1338fb4160e250ae8a9202f8ac3860f) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/18 19:55:01.0218 3468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/18 19:55:01.0250 3468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/18 19:55:01.0281 3468 gdrv (5c230948dd6652228f88ca7ae6cb276c) C:\WINDOWS\gdrv.sys
2011/05/18 19:55:02.0015 3468 Gpc (8c7faa02a68d9eef68287a2842bb4f71) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/18 19:55:02.0046 3468 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/18 19:55:02.0093 3468 HidUsb (81d2ffea0965a205f257160f1328f18e) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/18 19:55:02.0140 3468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/18 19:55:02.0218 3468 i8042prt (f641d64e8fd069d91e60511bb5cf4a2d) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/18 19:55:02.0234 3468 Imapi (df47d4e6ed89cd0ad7248a7604af706e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/18 19:55:02.0421 3468 IntcAzAudAddService (4716f7ee8fb7fd02596ece1ec70aff53) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/18 19:55:02.0484 3468 intelppm (09a4677efbe5a0a14e9a090421d851df) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/18 19:55:02.0500 3468 Ip6Fw (0f2a14149b767cd62559a4e060d63e0a) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/18 19:55:02.0546 3468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/18 19:55:02.0578 3468 IpInIp (f6e4f5f17ead48851b2ca24faf595693) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/18 19:55:02.0609 3468 IpNat (04191cc82eda72c44f9c154bc094ea0d) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/18 19:55:02.0625 3468 IPSec (84f6866f355c4c2185eb68206d55c591) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/18 19:55:02.0671 3468 IRENUM (ca98b430387b7d73d9b52eb4e0ab9d92) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/18 19:55:02.0687 3468 isapnp (5a59964bfb9dca86af0c4ae8cc1d6a32) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/18 19:55:02.0734 3468 Kbdclass (4780a418e0fa859b09311c87980d0f7e) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/18 19:55:02.0765 3468 kbdhid (e8b24306a700220740daf09f042280a2) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/18 19:55:02.0796 3468 kmixer (e30be31b27e6fd0c3ab65e87f794e5df) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/18 19:55:02.0828 3468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/18 19:55:02.0937 3468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/18 19:55:02.0968 3468 Modem (8c0f9f5a284b1db052c31ed629c2a5c3) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/18 19:55:03.0031 3468 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/05/18 19:55:03.0078 3468 Mouclass (06515a5d8482b44e55bab35981888a0e) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/18 19:55:03.0093 3468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/18 19:55:03.0125 3468 MountMgr (8b64fa7814ed005e57d43155de88398a) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/18 19:55:03.0171 3468 MRxDAV (53cb9e3b300f4ea15d5b2679b102d09f) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/18 19:55:03.0187 3468 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/18 19:55:03.0234 3468 Msfs (79e4458da04664b431e6728a18199300) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/18 19:55:03.0265 3468 MSKSSRV (241e77138dee16d546080a794b80284b) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/18 19:55:03.0281 3468 MSPCLOCK (f46de5b07ea15e0727f12eb12e710f71) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/18 19:55:03.0312 3468 MSPQM (c53927217ac0834dc547b396ffc495d9) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/18 19:55:03.0343 3468 mssmbios (146e70915c378f02476a10bcec3a95c2) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/18 19:55:03.0375 3468 Mup (254717fc83220bdc790f6c2e57c620bf) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/18 19:55:03.0437 3468 NDIS (aff1aed224d17c8bc38174ed932f68b6) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/18 19:55:03.0453 3468 NdisTapi (eaeecd0001f1d43bb3e81b77e8b8483e) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/18 19:55:03.0484 3468 Ndisuio (077c330d7e12669d57ed16e4dfabf700) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/18 19:55:03.0500 3468 NdisWan (36a503c26f7c81fe7ce71b0b467605dd) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/18 19:55:03.0531 3468 NDProxy (21769bbeb1b70ddad968002390100b3a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/18 19:55:03.0546 3468 NetBIOS (4977fd4bad4b94188e7b101df0e017ef) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/18 19:55:03.0578 3468 NetBT (3294dc900631ee18c86f49e7c26e416b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/18 19:55:03.0625 3468 Npfs (bff3844722d795df4c5066aaae957ec8) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/18 19:55:03.0656 3468 Ntfs (d7f8a3f743c54c13d78954176ad483a2) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/18 19:55:03.0703 3468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/18 19:55:03.0734 3468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/18 19:55:03.0750 3468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/18 19:55:03.0781 3468 Parport (9f84cffa068c474084a99bc68bf3ea63) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/18 19:55:03.0796 3468 PartMgr (64fc948a8387d3a5fba3cdeb539b1514) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/18 19:55:03.0828 3468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/18 19:55:03.0859 3468 PCI (ef6876118575c85ca4ad39ac6490656c) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/18 19:55:03.0890 3468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/18 19:55:03.0906 3468 Pcmcia (c1bc00b2c7a782cf5207f1a13745ab65) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/18 19:55:04.0031 3468 PptpMiniport (7065eaef0b12cc5339425d575e5a71d3) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/18 19:55:04.0046 3468 PSched (7c8c04b524b0823a29ee6b0818ecbbb3) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/18 19:55:04.0093 3468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/18 19:55:04.0140 3468 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/18 19:55:04.0218 3468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/18 19:55:04.0250 3468 Rasl2tp (1d0743f4b97fd729511ad5022e0bcbc1) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/18 19:55:04.0281 3468 RasPppoe (04a17ced474f4444d6eff7a1ba169a2e) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/18 19:55:04.0296 3468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/18 19:55:04.0328 3468 Rdbss (d2fd6bd47a5ad252745c96b61b55d7be) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/18 19:55:04.0375 3468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/18 19:55:04.0406 3468 rdpdr (00f5b19217f0ea9a513789dd8214c79b) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/18 19:55:04.0468 3468 RDPWD (e92dd0b4ab8d73f72fef85282f8dd2e2) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/18 19:55:04.0515 3468 redbook (bf1bfdad19fd920cc0856886ce91b208) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/18 19:55:04.0578 3468 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/05/18 19:55:04.0625 3468 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/05/18 19:55:04.0656 3468 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/05/18 19:55:04.0687 3468 RTLE8023xp (eeb84629064abcb6198864d25bf15b1a) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/05/18 19:55:04.0718 3468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/18 19:55:04.0734 3468 serenum (19f5a2b382c281ea02525566e8fe6980) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/18 19:55:04.0765 3468 Serial (3dae0c3747f4065d18617ca36f63f104) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/18 19:55:04.0796 3468 Sfloppy (0e0d508c42ed31e0ce4877bcbd1dac7e) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/18 19:55:04.0859 3468 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/05/18 19:55:04.0906 3468 splitter (d15d4f064889adae4ef9a44797361a95) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/18 19:55:04.0937 3468 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/05/18 19:55:04.0937 3468 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/05/18 19:55:04.0953 3468 sptd - detected LockedFile.Multi.Generic (1)
2011/05/18 19:55:04.0984 3468 sr (b0a078e4f5c4b11ddca9fe48e860687f) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/18 19:55:05.0031 3468 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/18 19:55:05.0078 3468 swenum (52ca69522d2780008679f486ff2d16a9) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/18 19:55:05.0109 3468 swmidi (d9f7f799db20ce348d2c7f374aae5133) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/18 19:55:05.0187 3468 sysaudio (ac17b7e3da6fc911466962bbe1596239) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/18 19:55:05.0234 3468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/18 19:55:05.0281 3468 TDPIPE (acbb991ba7710ca13e3f7c581365eec0) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/18 19:55:05.0296 3468 TDTCP (b4b829f1accaa80686a9f9264f2050d0) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/18 19:55:05.0343 3468 TermDD (9357984830dc4f40c3c82489b56ec95b) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/18 19:55:05.0406 3468 Udfs (007c5857eca3624845005d800986e400) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/18 19:55:05.0468 3468 Update (4b633414b8231060c8ceac4575fcb00e) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/18 19:55:05.0531 3468 usbccgp (7d9ac2328255cb506a9b74fdf2977ce1) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/18 19:55:05.0546 3468 usbehci (8e9d9764dd8030160fc42e183001113d) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/18 19:55:05.0562 3468 usbhub (32889e8b3bb890d5dbcdf866598a2b45) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/18 19:55:05.0609 3468 usbprint (0c92e95006b083ba25c0e805e6e7b1d6) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/18 19:55:05.0656 3468 usbscan (bd381322d0db6d18f42c0df992e8a7cb) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/18 19:55:05.0734 3468 USBSTOR (4c11e52f58b8f691099f9c1b0432a6a6) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/18 19:55:05.0750 3468 usbuhci (b4fbc865ce1311f671c18388df73eb80) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/18 19:55:05.0796 3468 VgaSave (27573609ed1a48065a7174fa6b7f36e5) C:\WINDOWS\System32\drivers\vga.sys
2011/05/18 19:55:05.0843 3468 VolSnap (999a7ab63b8f364f4df130d48ba7e972) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/18 19:55:05.0875 3468 Wanarp (4d91cdfecb032a34c550080b62720e15) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/18 19:55:05.0937 3468 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/05/18 19:55:05.0984 3468 wdmaud (971260ff2bdf0371c11e811fa9c64bd8) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/18 19:55:06.0031 3468 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/18 19:55:06.0078 3468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/18 19:55:06.0109 3468 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/18 19:55:06.0265 3468 ================================================================================
2011/05/18 19:55:06.0265 3468 Scan finished
2011/05/18 19:55:06.0265 3468 ================================================================================
2011/05/18 19:55:06.0281 3460 Detected object count: 1
2011/05/18 19:55:59.0062 3460 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/05/18 19:55:59.0062 3460 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/05/18 19:55:59.0078 3460 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
2011/05/18 19:55:59.0078 3460 LockedFile.Multi.Generic(sptd) - User select action: Quarantine

0

After running MBA-M and posting the log, do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6594

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 8:34:44 PM
mbam-log-2011-05-18 (20-34-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 307369
Time elapsed: 35 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


running combofix

0

combofix log:

ComboFix 11-05-17.03 - Administrator 05/18/2011 20:44:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2572 [GMT -4:00]
Running from: c:\documents and settings\Administrator.EXPERIEN-5C742D\Desktop\ComboFix.exe
AV: BitDefender Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.EXPERIEN-5C742D\WINDOWS
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2072-04-03 12:13 . 2008-03-21 13:46 607296 ------w- c:\program files\Microsoft Games\Age of Empires III\deformerdllyD.dll
2071-07-25 08:13 . 2006-11-21 20:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-05-18 23:55 . 2011-05-18 23:55 -------- d-----w- C:\TDSSKiller_Quarantine
2011-05-17 22:22 . 2011-05-17 22:22 -------- d-----w- c:\program files\Common Files\Java
2011-05-17 22:03 . 2011-05-17 22:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-17 21:26 . 2011-04-15 19:48 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-05-17 21:26 . 2010-11-03 22:15 359016 ----a-w- c:\windows\vncutil.exe
2011-05-17 21:26 . 2010-11-03 22:14 129640 ----a-w- c:\windows\RtkAudioService.exe
2011-05-17 21:26 . 2009-11-18 11:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-05-17 21:26 . 2009-11-18 11:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-05-16 23:51 . 2011-05-16 23:51 -------- d-----w- c:\documents and settings\Administrator.EXPERIEN-5C742D\Application Data\Malwarebytes
2011-05-16 23:51 . 2011-05-16 23:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-05-16 23:51 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 23:51 . 2011-05-16 23:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 23:51 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-12 01:09 . 2011-05-12 01:09 -------- d-----w- c:\program files\Winamp Detect
2011-05-10 01:11 . 2011-05-10 01:11 -------- d-----w- c:\documents and settings\Administrator.EXPERIEN-5C742D\Application Data\BitDefender
2011-05-06 03:52 . 2011-03-04 19:44 59888 ------w- c:\windows\system32\pxwma.dll
2011-05-06 03:52 . 2011-05-07 04:15 -------- d-----w- c:\documents and settings\Administrator.EXPERIEN-5C742D\Application Data\Winamp
2011-05-05 22:05 . 2011-05-05 22:06 -------- d-----w- c:\documents and settings\Administrator.EXPERIEN-5C742D\Local Settings\Application Data\Temp
2011-05-05 22:05 . 2011-05-05 22:10 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google
2011-05-01 03:26 . 2011-05-01 03:26 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\QuickScan
2011-05-01 03:20 . 2011-05-01 03:20 -------- d-----w- c:\program files\MSSOAP
2011-05-01 03:02 . 2011-05-01 03:02 -------- d-----w- c:\documents and settings\Administrator.EXPERIEN-5C742D\Application Data\QuickScan
2011-05-01 03:02 . 2011-05-10 01:13 -------- d-----w- c:\program files\Common Files\BitDefender
2011-05-01 02:55 . 2011-05-10 01:10 626263 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\bdinstall.bin
2011-05-01 02:13 . 2011-05-01 02:13 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-18 23:51 . 2008-12-17 14:38 16608 ----a-w- c:\windows\gdrv.sys
2011-05-17 21:26 . 2008-12-17 14:42 319488 ----a-w- c:\windows\HideWin.exe
2011-05-03 20:33 . 2008-12-17 14:42 6404712 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-04-14 17:36 . 2008-12-17 14:42 20053608 ----a-w- c:\windows\RTHDCPL.EXE
2011-03-04 19:44 . 2008-12-18 18:09 133616 ------w- c:\windows\system32\pxafs.dll
2011-03-04 19:44 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2011-03-04 19:44 . 2009-01-23 06:19 126448 ------w- c:\windows\system32\pxinsi64.exe
2011-03-04 19:44 . 2009-01-23 06:19 123888 ------w- c:\windows\system32\pxcpyi64.exe
2011-02-25 23:37 . 2008-12-17 14:42 1284712 ----a-w- c:\windows\RtlExUpd.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.EXPERIEN-5C742D^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Administrator.EXPERIEN-5C742D\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
= [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-11-03 22:13 64104 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-11-15 09:42 33120 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2010-11-03 22:13 2815592 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 19:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-05-03 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-07-08 16:22 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 19:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 19:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2011-04-14 17:36 20053608 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 09:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-11-10 21:18 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 21:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AC3Filter\\ac3config.exe"=
"c:\\Games\\sim city3000\\Apps\\Updater\\UPDATER.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Games\\StarCraft II\\StarCraft II.exe"=
"c:\\Games\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Games\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Games\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"c:\\Games\\StarCraft II\\Versions\\Base17326\\SC2.exe"=
"c:\\Games\\StarCraft II\\Versions\\Base18092\\SC2.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/17/2008 10:54 AM 691696]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/17/2008 12:31 AM 80392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 6:05 PM 136176]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [12/19/2008 7:44 PM 20160]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/17/2011 5:26 PM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 6:05 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SR
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc0b7130ab7afa.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-05 22:05]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Administrator.EXPERIEN-5C742D\Application Data\Mozilla\Firefox\Profiles\wug9wm07.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c6a6f83&v=6.103.018.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2011\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2011\ieshow.exe
MSConfigStartUp-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
MSConfigStartUp-Comrade - c:\program files\GameSpy\Comrade\Comrade.exe
MSConfigStartUp-ControlCenter3 - c:\program files\Brother\ControlCenter3\brctrcen.exe
MSConfigStartUp-Samsung PanelMgr - c:\windows\Samsung\PanelMgr\SSMMgr.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 20:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-682003330-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,3b,93,97,2c,07,71,40,af,67,74,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,3b,93,97,2c,07,71,40,af,67,74,\
.
[HKEY_USERS\S-1-5-21-1390067357-682003330-1801674531-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1390067357-682003330-1801674531-500\Software\SecuROM\License information*]
"datasecu"=hex:88,d6,7a,4c,01,52,75,19,9e,ed,ad,f5,43,47,1f,64,04,49,6d,f6,f9,
f0,2c,9b,c4,69,b3,73,74,38,9f,58,f5,df,5b,6c,7b,97,b6,76,d8,0b,57,d2,12,ba,\
"rkeysecu"=hex:ea,c0,2f,bb,80,23,d5,9b,ab,84,4a,b1,43,6d,c3,f3
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-18 20:47:54
ComboFix-quarantined-files.txt 2011-05-19 00:47
.
Pre-Run: 71,647,330,304 bytes free
Post-Run: 71,655,313,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6929FFD297B3A5637F90CC161B0E693A


One thing i'm curious about. Combofix detected Bitdefender still being active on my computer before running, this is AFTER i uninstalled it.

please advise.

0

How did you uninstall BitDefender? If it was uninstalled incorrectly then it would not all have been removed. Also, you failed to update Malwarebytes' before the scan, you have an old database,6594. Current data base is 6612. Malwarebytes' issues updates multiple times a day, that is why you always must check for updates before each and every scan, even when you run more than one scan a day.

Edited by jholland1964: n/a

0

I went through the official uninstaller provided. Is there some way to eliminate it's presence completely?

I will update malwatebytes now. Should I run another scan once the update is completed?

0

Yes, do another Malwarebytes' scan. For the moment don't worry about the Bit Defender, we'll get rid of all that shortly.

0

Thanks for all the help again. Is Bitdefender a good program to use? I know some anti spyware programs are suspect.

0

BitDefender is an ok program, it's a PAID anti-virus program, not free. Did you pay for it?
Not sure what you mean by "some anti spyware programs are suspect" BitDefender is not an anti-spyware program, though it's security suite contains and anti-spyware program. If you got it for free then you didn't get the true BitDefender program and then of course it would be very suspect.

Here is it's web page with purchase info

http://www.bitdefender.com/

Edited by jholland1964: n/a

0

updated malwarebytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6612

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 9:58:46 PM
mbam-log-2011-05-18 (21-58-46).txt

Scan type: Full scan (C:\|)
Objects scanned: 308254
Time elapsed: 35 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

BitDefender is an ok program, it's a PAID anti-virus program, not free. Did you pay for it?
Not sure what you mean by "some anti spyware programs are suspect" BitDefender is not an anti-spyware program, though it's security suite contains and anti-spyware program. If you got it for free then you didn't get the true BitDefender program and then of course it would be very suspect.

Here is it's web page with purchase info

http://www.bitdefender.com/

My dad purchased it, and gave me the link to set it up on my PC, so it was legitimate.

Now let me know how to proceed further.

as per anything else you need to me to do, and as per the bitdefender still hangin around.

0

As long as you have the license code you should be able to download and reinstall it again. Do you have the license code?
If you don't want to use it that is fine, there are some very good free anti-virus programs out there to use. But in order to uninstall it you can try downloading and reinstalling and then go through Add/Remove and try uninstalling again. You can also use the free version of Revo Uninstaller to remove it and all of it's remaining files, it is really up to you.
http://www.revouninstaller.com/revo_uninstaller_free_download.html

Is the computer working as it should be now? Is the taskbar it's normal color and has the sound returned?

0

Yea! everything seems to be in order!

Thank you so much!

0

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.


You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.

0

All done! Thank you so much for getting my computer back to life!!!

0

I will keep all of the programs you guys provided me in case this comes back.

Any other tips for keeping such malware blocked?

0

The only program you need to keep is Malwarebytes' Anti-Malware. the others are only for use on an infected machine and shouldn't be used again. Malwarebytes' should be updated and a scan run at least once a week, following the same procedure used here.
The other FREE program I would recommend is SpywareBlaster by Javacool Just click right there and you will get the install file.
Download, save it, double click to install. Then Update it and Enable all protection and close the program. That's it. Manually check for updates every couple weeks and follow the same procedure if there is an update and then close it again.
SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.
I would never run a computer without it.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.