Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

My anti virus disabled by trojan??

This is a discussion on My anti virus disabled by trojan?? within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello I am running Win XPpro SP3, My anti virus is Avast. I am also using Comodo firewall. I have


 
 
Thread Tools Search this Thread
Old 02-12-2010, 07:23 AM   #1
Guest
 
Join Date: Sep 2008
Posts: 25
OS:


Cry

Hello
I am running Win XPpro SP3, My anti virus is Avast.

I am also using Comodo firewall.

I have noticed that in the last couple of days that when I search in Google I get an unwanted advert appear before the correct site.

Also my Avast licence is coming to an end but I something is stopping me from updating it.

I am also unable to start in safe mode.

I ran a trial version of TrojanHunter and it showed a rootkit problem but of course I have to buy the program to delete it. I cannot now remember what the details were.

Can someone help please.

Thank you.
willynilly is offline  
Sponsored Links
Advertisement
 
Old 02-12-2010, 08:06 AM   #2
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Forgot to mention. I have run DDS txt and Attach txt. Not sure how to put them on here. Thanks
willynilly is offline  
Old 02-15-2010, 04:10 AM   #3
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



bump please
willynilly is offline  
Sponsored Links
Advertisement
 
Old 02-15-2010, 04:52 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Quote:
I have run DDS txt and Attach txt. Not sure how to put them on here
Simply open the files, Select all(Ctrl + A) then copy(Ctrl + C) then paste(Ctrl + V) into the Reply to Thread window.

I also need to see the gmer log in order to help you.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2010, 06:34 AM   #5
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Hi chemist. Thanks for your help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by William at 14:57:52.20 on 12/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1484 [GMT 0:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: avast! antivirus 4.8.1368 [VPS 000000-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\TrojanHunter 5.2\THGuard.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\William\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [NWEReboot]
mRun: [THGuard] "c:\program files\trojanhunter 5.2\THGuard.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32dll c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\william\applic~1\mozilla\firefox\profiles\07hq93uw.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 2
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-12 207792]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-7-5 63352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-8 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-8 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-8 25160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-8 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-8 138680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-12 112592]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-12-8 723632]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-12 359624]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-12 1141712]
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2010-1-16 3968]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-8 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-8 352920]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-12-28 406016]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\william\locals~1\temp\gusbstoi.sys --> c:\docume~1\william\locals~1\temp\gUSBSTOi.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-3-10 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-3-10 8320]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2009-11-12 32736]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-3-28 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-3-28 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-3-28 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-3-28 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-3-28 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-3-28 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-3-28 117672]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-3-16 11520]
S4 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared anti-malware\a2service.exe [2010-1-15 1858144]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-11-23 1858144]
S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2009-11-12 220128]

=============== Created Last 30 ================

2010-02-12 14:40:51 882 ----a-w- c:\windows\RegSDImport.xml
2010-02-12 14:40:51 880 ----a-w- c:\windows\RegISSImport.xml
2010-02-12 14:40:51 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-12 14:40:50 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-12 14:40:50 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-02-12 14:40:50 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-12 14:40:50 131 ----a-w- c:\windows\IDB.zip
2010-02-12 14:40:50 1152444 ----a-w- c:\windows\UDB.zip
2010-02-12 14:39:16 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-12 14:39:16 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-12 14:38:54 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-12 14:38:54 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-12 14:38:54 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-12 14:38:54 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-12 14:38:47 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-02-12 14:38:47 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-12 14:38:38 0 d-----w- c:\program files\Spyware Doctor
2010-02-12 14:38:38 0 d-----w- c:\program files\common files\PC Tools
2010-02-12 14:38:38 0 d-----w- c:\docume~1\william\applic~1\PC Tools
2010-02-12 14:38:38 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-02-12 12:07:37 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-08 15:09:29 0 d-----w- c:\docume~1\alluse~1\applic~1\launcher
2010-02-08 10:46:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-07 2100 0 d-----w- c:\program files\Paragon Software
2010-02-07 20:21:49 0 d-----w- c:\docume~1\alluse~1\applic~1\explauncher
2010-02-06 00:28:45 0 d-----w- c:\program files\Battlefront
2010-02-03 11:58:12 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-02-03 11:58:11 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-02-03 11:58:10 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-02-03 11:58:09 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-02-03 11:58:08 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-02-03 11:58:07 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-02-03 11:58:07 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-01-30 16:19:21 0 d-----w- c:\program files\Uniblue
2010-01-30 16:19:21 0 d-----w- c:\docume~1\william\applic~1\Uniblue
2010-01-30 16:19:21 0 d-----w- c:\docume~1\alluse~1\applic~1\DriverScanner
2010-01-30 16:18:45 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-01-21 11:47:42 0 d-----w- c:\program files\Defcon
2010-01-19 15:48:57 129495341 ----a-w- c:\documents and settings\william\aptmp.exe
2010-01-19 15:12:13 0 d-----w- c:\program files\Illusion Softworks
2010-01-18 11:49:01 154 ----a-w- C:\JANUS.ERR
2010-01-18 11:40:23 86016 ----a-w- c:\windows\unvise32qt.exe
2010-01-18 11:34:38 0 d-----w- c:\program files\SSI
2010-01-18 11:34:27 507904 ------w- c:\windows\Silent Hunter II remove.exe
2010-01-18 11:34:27 44544 ----a-r- c:\windows\dsetup.dll
2010-01-18 11:34:27 1772544 ----a-r- c:\windows\dsetup32.dll
2010-01-18 10:30:32 0 d-----w- c:\docume~1\william\applic~1\TrojanHunter
2010-01-18 09:55:48 0 d-----w- c:\program files\TrojanHunter 5.2
2010-01-17 00:21:54 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2010-01-17 00:21:53 0 d-----w- c:\program files\AMD
2010-01-16 23:40:56 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-01-16 23:40:56 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-01-16 23:40:54 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2010-01-16 23:40:54 2688 ----a-w- c:\windows\system32\drivers\HIDSwvd.sys
2010-01-16 23:40:52 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-01-16 23:40:52 59136 ----a-w- c:\windows\system32\drivers\GcKernel.sys
2010-01-16 23:40:49 3968 -c--a-w- c:\windows\system32\dllcache\swusbflt.sys
2010-01-16 23:40:49 3968 ----a-w- c:\windows\system32\drivers\SWUSBFLT.SYS
2010-01-16 23:40:49 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2010-01-16 23:40:49 10240 ----a-w- c:\windows\system32\swpdflt2.dll
2010-01-16 23:16:19 0 d-----w- c:\program files\Microsoft Games
2010-01-16 12:47:05 42 ----a-w- c:\documents and settings\william\default.pls
2010-01-15 10:53:25 0 d-----w- c:\program files\Steam
2010-01-15 00:57:20 0 d-----w- c:\program files\a-squared Anti-Malware
2010-01-13 17:09:16 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-02 2019 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-02-01 20:47:38 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-01 20:47:37 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-28 16:08:12 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-21 08:46:32 86016 ----a-w- c:\windows\system32\frapsvid.dll
2001-11-23 12:08:20 712704 ----a-r- c:\windows\inf\other\AUDIO3D.DLL
2009-10-17 10:12:31 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-10-17 10:12:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009101720091018\index.dat



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 08/12/2008 16:30:00
System Uptime: 02/12/2010 13:59:43 (-7031 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N-E SLI
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | Socket AM2 | 3015/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 42.893 GiB free.
E: is CDROM (CDFS)
F: is CDROM (UDF)

==== Disabled Device Manager Items =============

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: C-Media CM6501 Like Sound Device
Device ID: USB\VID_0D8C&PID_0201&MI_00\6&834DCB8&0&0000
Manufacturer: C-Media
Name: C-Media CM6501 Like Sound Device
PNP Device ID: USB\VID_0D8C&PID_0201&MI_00\6&834DCB8&0&0000
Service: cm102u32

==== System Restore Points ===================

RP261: 11/11/2009 16:35:56 - Installed Call of Juarez
RP262: 11/11/2009 16:42:55 - Installed DirectX
RP263: 13/11/2009 12:29:52 - Removed Samsung PC Studio 3
RP264: 13/11/2009 12:31:03 - Removed Samsung PC Studio 3 USB Driver Installer
RP265: 18/11/2009 13:09:08 - System Checkpoint
RP266: 19/11/2009 14:41:44 - Installed DirectX
RP267: 19/11/2009 15:00:31 - Removed Steam(TM)
RP268: 19/11/2009 15:02:33 - Removed Day of Defeat: Source
RP269: 19/11/2009 19:35:11 - Installed DirectX
RP270: 20/11/2009 23:00:43 - Installed DirectX
RP271: 22/11/2009 12:59:17 - before using winopt
RP272: 22/11/2009 13:27:35 - Installed DirectX
RP273: 23/11/2009 00:25:51 - Removed Call of Duty(R) - World at War(TM)
RP274: 24/11/2009 10:30:15 - Removed Opera 10.01.
RP275: 24/11/2009 10:30:28 - Installed Opera 10.10.
RP276: 25/11/2009 10:25:31 - Software Distribution Service 3.0
RP277: 25/11/2009 11:07:53 - Removed Acrobat.com
RP278: 29/11/2009 23:27:29 - Installed PowerResizer
RP279: 01/12/2009 08:32:15 - System Checkpoint
RP280: 02/12/2009 23:46:24 - Removed PowerResizer
RP281: 03/12/2009 09:41:46 - Removed Call of Juarez
RP282: 05/12/2009 14:41:14 - System Checkpoint
RP283: 09/12/2009 00:53:54 - Software Distribution Service 3.0
RP284: 10/12/2009 10:01:27 - Installed Macrium Reflect - Free Edition
RP285: 16/12/2009 21:37:45 - System Checkpoint
RP286: 17/12/2009 12:41:36 - Installed Company of Heroes.
RP287: 19/12/2009 16:43:33 - System Checkpoint
RP288: 24/12/2009 20:46:45 - Installed OF Dragon Rising
RP289: 24/12/2009 21:12:34 - Installed OF Dragon Rising
RP290: 27/12/2009 10:58:24 - Installed USB2.0 Capture Device
RP291: 27/12/2009 11:00:41 - Installed Ulead VideoStudio
RP292: 27/12/2009 11:04:20 - Installed Windows Media Encoder 9 Series
RP293: 27/12/2009 12:13:55 - Unsigned driver install
RP294: 28/12/2009 10:16:36 - Software Distribution Service 3.0
RP295: 04/01/2010 18:10:00 - System Checkpoint
RP296: 08/01/2010 17:41:29 - System Checkpoint
RP297: 13/01/2010 17:12:27 - Software Distribution Service 3.0
RP298: 14/01/2010 21:16:35 - System Checkpoint
RP299: 15/01/2010 10:53:24 - Installed Steam
RP300: 15/01/2010 11:47:27 - Unsigned driver install
RP301: 15/01/2010 11:53:54 - Update to an unsigned driver
RP302: 15/01/2010 11:57:21 - Update to an unsigned driver
RP303: 15/01/2010 12:11:17 - Removed USB2.0 Capture Device
RP304: 15/01/2010 12:16:53 - Unsigned driver install
RP305: 16/01/2010 23:09:57 - Removed PRODUCT_NAME
RP306: 17/01/2010 00:21:44 - Installed AMD Processor Driver
RP307: 18/01/2010 00:29:58 - System Checkpoint
RP308: 18/01/2010 12:08:45 - Installed Windows Internet Explorer 8.
RP309: 18/01/2010 12:09:03 - Software Distribution Service 3.0
RP310: 19/01/2010 15:48:31 - Installed Hidden & Dangerous 2
RP311: 21/01/2010 16:49:45 - Configured Hidden & Dangerous 2
RP312: 22/01/2010 11:01:59 - Software Distribution Service 3.0
RP313: 23/01/2010 11:16:58 - System Checkpoint
RP314: 23/01/2010 1252 - pre troj
RP315: 26/01/2010 13:45:36 - System Checkpoint
RP316: 28/01/2010 16:28:50 - System Checkpoint
RP317: 30/01/2010 13:35:22 - System Checkpoint
RP318: 30/01/2010 16:18:45 - Installed Uniblue DriverScanner v1.0
RP319: 31/01/2010 16:19:36 - System Checkpoint
RP320: 03/02/2010 10:21:44 - Installed Day of Defeat: Source
RP321: 03/02/2010 11:56:07 - Installed Microsoft Visual C++ 2005 Redistributable
RP322: 03/02/2010 11:56:27 - Installed DirectX
RP323: 03/02/2010 12:03:57 - Installed DirectX
RP324: 05/02/2010 14:54:17 - Configured Hidden & Dangerous 2
RP325: 05/02/2010 16:16:18 - Configured Hidden & Dangerous 2
RP326: 06/02/2010 00:31:42 - Installed DirectX
RP327: 06/02/2010 16:44:06 - Removed Day of Defeat: Source
RP328: 06/02/2010 16:45:37 - Installed Day of Defeat: Source
RP329: 06/02/2010 17:11:07 - Removed Day of Defeat: Source
RP330: 06/02/2010 17:12:05 - Installed Day of Defeat: Source
RP331: 07/02/2010 21:05:56 - Installed Paragon Disk Wiperô 10 Special Edition.
RP332: 08/02/2010 10:47:31 - avast! Free Antivirus Setup
RP333: 09/02/2010 15:22:10 - System Checkpoint
RP334: 12/02/2010 12:01:04 - Restore Operation
RP335: 12/02/2010 13:10:44 - Software Distribution Service 3.0

==== Installed Programs ======================

a-squared Anti-Malware 4.5
a-squared Free 4.5
Act of War - Direct Action
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9.3
Adobe Shockwave Player 11
AMD Processor Driver
Apple Software Update
ArmA 2 Uninstall
ArmA Uninstall
Ashampoo WinOptimizer 6.50
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Avanquest update
Battlefield 1942
Battlefield 2(TM)
Battlefield 2: Special Forces
Battlefield Vietnam(TM)
Battlefield Vietnam: WW2 Mod
BattlEye Uninstall
Belarc Advisor 7.2
Blitzkrieg 2
BlueSoleil
Browser Defender 2.0.6.11
C-Media 6501 Sound
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint
CapMan
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCenter
CCleaner
COMODO Internet Security
Company of Heroes
Critical Update for Windows Media Player 11 (KB959772)
Day of Defeat: Source
Defcon Patch 1.43
Easy-WebPrint
Euro Truck Simulator
Far Cry 2
GTA San Andreas
HD Tune 2.55
Hidden & Dangerous 2
Hidden & Dangerous 2 Patch
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Macrium Reflect - Free Edition
Medal of Honor Pacific Assault(tm)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Combat Flight Simulator 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Motorola Phone Tools
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Premium
Nikon Scan
NVIDIA Drivers
NVIDIA PhysX v8.04.25
OF Dragon Rising
OLYMPUS CAMEDIA Master 4.2
OpenAL
Opera 10.10
PC Suite
PCI Audio Driver
PunkBuster for Battlefield Vietnam
PunkBuster Services
Registry Mechanic 8.0
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Silent Hunter II
SilverFast NikonSF-SE 6.6.0r5
Skins
Sniper: Art of Victory
Sony Ericsson MMS Home Studio
Sony Ericsson Mobile Networking Wizard
Sony Ericsson Mobile Phone Monitor
Sony Ericsson OCS
Sony Ericsson PC Suite 4.010.00
Sony Ericsson Sound Editor
Sony Ericsson Sync Station
Spybot - Search & Destroy
Spyware Doctor 7.0
SRWare Iron 3.0.197.0
Steam
Tom Clancy's Rainbow Six Vegas 2
TrojanHunter 5.2
Ulead VideoStudio SE DVD
Uniblue DriverScanner 2009
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VueScan
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2009

==== Event Viewer Messages From Past Week ========

12/02/2010 13:21:35, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.
08/02/2010 09:39:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd

==== End Of File ===========================


GMER 1.0.15.15281 - https://www.gmer.net
Rootkit scan 2010-02-15 10:56:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\William\LOCALS~1\Temp\kwldrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xACD72BDA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xACB1E6B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xACD721B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xACD72840]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xACB1E574]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xACD7209A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xACD7406A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xACD74302]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xACD71C60]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xACD72FC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xACB1EA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xACB1E14C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xACD73CEC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xACD7243C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xACD72A1C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xACB1E64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xACB1E08C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xACD726CC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xACB1E0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xACB1E76E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xACD73720]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xACD74648]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xACB1E72E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xACD73A88]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xACD72DC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xACD73E9A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xACB1E8AE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xACD723D6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xACD725C0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xACD71F64]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xACD71E32]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device \Driver\atapi \Device\Ide\IdePort0 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort3 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort4 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort5 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1f [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

============= FINISH: 14:58:54.95 ===============
willynilly is offline  
Old 02-15-2010, 11:04 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello willynilly.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

It appears that you have three antivirus programs installed, a-squared, avast!, and Spyware Doctor, and two running(avast! and Spyware Doctor). While this may seem like better protection, they can still conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the others via Add or Remove Programs in your Control Panel.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2010, 12:00 PM   #7
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Hi chemist

One of my problems is that I cannot enable or uninstall Avast. The little blue ball sits in the tray with a red circle in it and refuses to let me do anything with it.
Spyware Doctor I don't think I actually installed it. There is no mention of it in my add or remove programs. I have uninstalled A Squared but I thought that was only anti Malware.
At the moment I have no anti virus which will work so that is a worry for me.

Here is the ComboFix log.

ComboFix 10-02-12.01 - William 15/02/2010 18:47:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1561 [GMT 0:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: avast! antivirus 4.8.1368 [VPS 000000-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\William\Application Data\CCenter

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-15 16:36 . 2009-08-24 21:08 28160 ----a-w- c:\windows\system32\DfSdkBt.exe
2010-02-15 11:16 . 2010-02-15 11:16 -------- d-----w- c:\documents and settings\William\Application Data\AVG8
2010-02-12 20:00 . 2010-02-12 20:00 -------- d-----w- c:\windows\Sun
2010-02-12 19:52 . 2010-02-12 19:52 503808 ----a-w- c:\documents and settings\William\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ec30b88-n\msvcp71.dll
2010-02-12 19:52 . 2010-02-12 19:52 499712 ----a-w- c:\documents and settings\William\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ec30b88-n\jmc.dll
2010-02-12 19:52 . 2010-02-12 19:52 348160 ----a-w- c:\documents and settings\William\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ec30b88-n\msvcr71.dll
2010-02-12 19:52 . 2010-02-12 19:52 61440 ----a-w- c:\documents and settings\William\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b23f24e-n\decora-sse.dll
2010-02-12 19:52 . 2010-02-12 19:52 12800 ----a-w- c:\documents and settings\William\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b23f24e-n\decora-d3d.dll
2010-02-12 19:52 . 2010-02-12 19:52 -------- d-----w- c:\program files\Common Files\Java
2010-02-12 19:52 . 2010-02-12 19:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-12 19:51 . 2010-02-12 19:51 -------- d-----w- c:\program files\Java
2010-02-12 19:18 . 2010-02-12 19:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-12 19:17 . 2010-02-12 19:17 -------- d-----w- c:\program files\505games
2010-02-08 15:09 . 2010-02-08 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\launcher
2010-02-08 10:46 . 2010-02-08 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-07 21:06 . 2010-02-07 21:06 -------- d-----w- c:\program files\Paragon Software
2010-02-07 20:21 . 2010-02-07 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\explauncher
2010-02-06 00:28 . 2010-02-06 00:28 -------- d-----w- c:\program files\Battlefront
2010-01-30 16:19 . 2010-01-30 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-01-30 16:19 . 2010-01-30 16:19 -------- d-----w- c:\documents and settings\William\Application Data\Uniblue
2010-01-30 16:18 . 2010-02-12 19:17 -------- dc----w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-01-21 11:47 . 2010-01-21 13:35 -------- d-----w- c:\program files\Defcon
2010-01-19 15:48 . 2010-01-19 15:57 129495341 ----a-w- c:\documents and settings\William\aptmp.exe
2010-01-19 15:20 . 2010-01-19 15:20 5430 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{83437081-8186-4F63-BD39-4BE8A691E055}\DesktopShortcut1.exe
2010-01-19 15:20 . 2010-01-19 15:20 49152 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{83437081-8186-4F63-BD39-4BE8A691E055}\ProgramMenuShortcut6.exe
2010-01-19 15:20 . 2010-01-19 15:20 45056 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{83437081-8186-4F63-BD39-4BE8A691E055}\ProgramMenuShortcut8.exe
2010-01-19 15:20 . 2010-01-19 15:20 45056 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{83437081-8186-4F63-BD39-4BE8A691E055}\NewShortcut1_1.exe
2010-01-19 15:20 . 2010-01-19 15:20 45056 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{83437081-8186-4F63-BD39-4BE8A691E055}\NewShortcut1.exe
2010-01-19 15:20 . 2010-01-19 15:20 45056 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{83437081-8186-4F63-BD39-4BE8A691E055}\ARPPRODUCTICON.exe
2010-01-19 15:12 . 2010-01-19 15:12 -------- d-----w- c:\program files\Illusion Softworks
2010-01-18 11:40 . 1999-11-10 11:05 86016 ----a-w- c:\windows\unvise32qt.exe
2010-01-18 11:34 . 2010-01-18 11:34 -------- d-----w- c:\program files\SSI
2010-01-18 11:34 . 2001-10-17 17:43 507904 ------w- c:\windows\Silent Hunter II remove.exe
2010-01-18 11:34 . 2000-12-15 21:58 44544 ----a-r- c:\windows\dsetup.dll
2010-01-18 11:34 . 2000-12-15 15:46 1772544 ----a-r- c:\windows\dsetup32.dll
2010-01-18 10:30 . 2010-01-18 10:30 -------- d-----w- c:\documents and settings\William\Application Data\TrojanHunter
2010-01-18 09:55 . 2010-02-14 00:18 -------- d-----w- c:\program files\TrojanHunter 5.2
2010-01-17 00:21 . 2006-07-01 22:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2010-01-17 00:21 . 2010-01-17 00:21 -------- d-----w- c:\program files\AMD
2010-01-16 23:40 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-01-16 23:40 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-01-16 23:40 . 2001-08-17 14:02 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2010-01-16 23:40 . 2001-08-17 14:02 2688 ----a-w- c:\windows\system32\drivers\HIDSwvd.sys
2010-01-16 23:40 . 2008-04-13 19:45 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-01-16 23:40 . 2008-04-13 19:45 59136 ----a-w- c:\windows\system32\drivers\GcKernel.sys
2010-01-16 23:40 . 2001-08-17 22:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2010-01-16 23:40 . 2001-08-17 22:36 10240 ----a-w- c:\windows\system32\swpdflt2.dll
2010-01-16 23:40 . 2001-08-17 14:02 3968 -c--a-w- c:\windows\system32\dllcache\swusbflt.sys
2010-01-16 23:40 . 2001-08-17 14:02 3968 ----a-w- c:\windows\system32\drivers\SWUSBFLT.SYS
2010-01-16 23:16 . 2010-01-16 23:16 -------- d-----w- c:\program files\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 18:42 . 2009-11-23 00:18 -------- d-----w- c:\program files\a-squared Free
2010-02-15 17:00 . 2008-12-10 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-15 16:36 . 2010-02-15 16:36 714752 ----a-w- c:\windows\isRS-000.tmp
2010-02-12 19:43 . 2008-12-08 19:33 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-12 19:43 . 2008-12-08 19:33 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-12 19:17 . 2010-01-15 10:53 -------- d-----w- c:\program files\Steam
2010-02-12 19:15 . 2008-12-08 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 19:13 . 2008-12-08 19:54 -------- d-----w- c:\program files\Alwil Software
2010-02-12 15:47 . 2010-01-09 11:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-09 15:39 . 2009-04-20 10:56 -------- d-----w- c:\documents and settings\William\Application Data\Lasersoft Imaging
2010-01-28 16:08 . 2008-12-08 19:33 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-01-28 16:08 . 2008-12-08 19:33 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-01-28 14:20 . 2009-09-01 20:46 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-01-18 12:30 . 2009-01-08 17:25 -------- d-----w- c:\program files\QuickTime
2010-01-15 19:01 . 2008-12-08 21:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 00:31 . 2010-01-08 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\78672737
2010-01-09 13:01 . 2009-04-04 17:12 -------- d-----w- c:\program files\Yahoo!
2010-01-09 12:58 . 2008-12-30 16:25 -------- d-----w- c:\program files\Siber Systems
2010-01-09 12:58 . 2008-12-30 16:25 -------- d-----w- c:\documents and settings\William\Application Data\GoodSync
2010-01-08 13:10 . 2010-01-08 13:10 415 ----a-w- c:\documents and settings\All Users\Application Data\78672737\78672737.bat
2010-01-08 10:26 . 2010-01-08 10:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-31 16:50 . 2003-07-16 16:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 11:13 . 2009-12-30 11:13 -------- d-----w- c:\program files\HD Tune
2009-12-30 11:12 . 2009-12-30 11:00 -------- d-----w- c:\program files\HD Tune Pro
2009-12-30 11:00 . 2009-12-30 11:00 -------- d-----w- c:\documents and settings\William\Application Data\HD Tune Pro
2009-12-28 22:20 . 2009-12-28 22:20 -------- d-----w- c:\program files\Ashampoo
2009-12-28 11:13 . 2008-12-08 16:46 55616 ----a-w- c:\documents and settings\William\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 12:08 . 2009-12-27 11:08 -------- d-----w- c:\documents and settings\William\Application Data\Ulead Systems
2009-12-27 11:07 . 2009-12-27 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-12-27 11:03 . 2009-12-27 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-12-27 11:03 . 2009-12-27 11:03 -------- d-----w- c:\program files\Windows Media Components
2009-12-27 11:01 . 2009-12-27 11:01 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-12-27 11:01 . 2009-12-27 11:01 -------- d-----w- c:\program files\Ulead Systems
2009-12-27 11:01 . 2008-12-08 20:37 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-24 20:46 . 2009-12-24 20:46 -------- d-----w- c:\program files\Codemasters
2009-12-21 19:14 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-12-08 16:20 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-07-16 16:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 10:01 . 2009-12-10 10:01 43646 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{EB85CC54-5E9A-4D33-B319-593B82291ABC}\_F4B1F5D95883DF032043AB.exe
2009-12-10 10:01 . 2009-12-10 10:01 43646 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{EB85CC54-5E9A-4D33-B319-593B82291ABC}\_D707CE1C009F1381803C2C.exe
2009-12-10 10:01 . 2009-12-10 10:01 43646 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{EB85CC54-5E9A-4D33-B319-593B82291ABC}\_60F6DE46B7963C9F49DE91.exe
2009-12-10 10:01 . 2009-12-10 10:01 43646 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{EB85CC54-5E9A-4D33-B319-593B82291ABC}\_21F3885A18D238E15AAE81.exe
2009-12-10 10:01 . 2009-12-10 10:01 29926 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{EB85CC54-5E9A-4D33-B319-593B82291ABC}\_68330598A56E6C9A3EC6DC.exe
2009-12-10 10:01 . 2009-12-10 10:01 109534 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{EB85CC54-5E9A-4D33-B319-593B82291ABC}\_6FEFF9B68218417F98F549.exe
2009-12-04 18:22 . 2003-07-16 16:29 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2003-07-16 16:36 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2003-07-16 16:31 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2003-07-16 16:31 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2003-07-16 16:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 11:06 . 2009-11-25 11:06 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-25 11:06 . 2008-12-08 21:52 38208 ----a-w- c:\documents and settings\William\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-24 23:54 . 2008-12-08 19:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-08 19:54 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-08 19:54 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-08 19:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-08 19:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-08 19:55 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-08 19:55 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-08 19:55 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-08 19:55 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2003-07-16 16:17 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 08:46 . 2009-11-21 08:46 86016 ----a-w- c:\windows\system32\frapsvid.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"THGuard"="c:\program files\TrojanHunter 5.2\THGuard.exe" [2009-11-26 1069728]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-28 1800464]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\UBISOFT\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\UBISOFT\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\UBISOFT\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\UBISOFT\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Program Files\\UBISOFT\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Codemasters\\OF Dragon Rising\\OFDR.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [20/05/2008 08:32 15328]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [05/07/2006 12:46 63352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [08/12/2008 19:55 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [08/12/2008 19:33 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [08/12/2008 19:33 25160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [08/12/2008 19:55 20560]
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [16/01/2010 23:40 3968]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [15/02/2010 16:36 406016]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\William\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\William\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/03/2009 15:57 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/03/2009 15:57 8320]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [12/11/2009 16:41 32736]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [28/03/2009 10:27 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [28/03/2009 10:27 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [28/03/2009 10:27 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [28/03/2009 10:27 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [28/03/2009 10:27 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [28/03/2009 10:27 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [28/03/2009 10:27 117672]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [16/03/2009 19:17 11520]
S4 a2AntiMalware;a-squared Anti-Malware Service;"c:\program files\a-squared Anti-Malware\a2service.exe" --> c:\program files\a-squared Anti-Malware\a2service.exe [?]
S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [12/11/2009 13:50 220128]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DFSDKS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\j2y7yafp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-02-15 18:50
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8AAE38C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba12cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f14b3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-1500820517-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-329068152-1500820517-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:bb,24,e7,0a,26,02,f1,f1,8e,02,4c,a1,cb,e6,54,11,0b,a8,4d,dd,c8,
cc,c2,54,9a,25,e2,78,0a,dd,06,35,24,79,73,ea,0e,79,01,d0,6d,35,e8,ae,77,48,\
"rkeysecu"=hex:d9,31,8d,3f,08,81,50,23,16,69,9d,6a,f6,e4,17,7a

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(928)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1636)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-15 18:52:32
ComboFix-quarantined-files.txt 2010-02-15 18:52

Pre-Run: 46,103,822,336 bytes free
Post-Run: 46,085,394,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

- - End Of File - - E1B8B70F00A33DDDD58B89C43BCF87D1
willynilly is offline  
Old 02-15-2010, 12:16 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, willynilly. We'll address your antivirus situation shortly.

Download TDSSKiller.zip and extract TDSSKiller.exe to your Desktop.

Double-click TDSSKiller.exe and follow the prompts to run it.

When finished, it will prompt you to 'Close all programs and choose Y to restart or N to continue'.

Please type Y to restart your computer.

It will produce a log here > C:\TDSSKiller.2.2.3_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------

Reboot your computer once more. This is important in finalizing the fix.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
mbr.exe -t 
start mbr.log
del %0
Save this as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat and allow it to run. A Notepad file will open. Post the contents in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2010, 12:27 PM   #9
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Hi chemist

I am trying to download TDSSKiller.zip but all I keep getting is 504 Gateway Time-out.
Any suggestions please?
willynilly is offline  
Old 02-15-2010, 12:39 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



I'm not having any problem downloading it. I've attached it.
Attached Files
File Type: zip tdsskiller.zip (149.1 KB, 14 views)
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2010, 12:51 PM   #11
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Sorry to be a pain. I have run TDSSKiller and pressed y. The comp restarted but I am not sure how to find the file. doh
willynilly is offline  
Old 02-15-2010, 01:04 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



It will produce a log here > C:\TDSSKiller.2.2.3_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

My Computer > (C:) > TDSSKiller.2.2.3_date_time_log.txt
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2010, 01:12 PM   #13
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



TDSSKiller =

19:42:42:234 3116 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
19:42:42:234 3116 ================================================================================
19:42:42:234 3116 SystemInfo:

19:42:42:234 3116 OS Version: 5.1.2600 ServicePack: 3.0
19:42:42:234 3116 Product type: Workstation
19:42:42:234 3116 ComputerName: HOME-DESKTOP
19:42:42:234 3116 UserName: William
19:42:42:234 3116 Windows directory: C:\WINDOWS
19:42:42:234 3116 Processor architecture: Intel x86
19:42:42:234 3116 Number of processors: 2
19:42:42:234 3116 Page size: 0x1000
19:42:42:234 3116 Boot type: Normal boot
19:42:42:234 3116 ================================================================================
19:42:42:234 3116 UnloadDriverW: NtUnloadDriver error 2
19:42:42:234 3116 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:42:42:234 3116 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:42:42:250 3116 UtilityInit: KLMD drop and load success
19:42:42:250 3116 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
19:42:42:250 3116 UtilityInit: KLMD open success
19:42:42:250 3116 UtilityInit: Initialize success
19:42:42:250 3116
19:42:42:250 3116 Scanning Services ...
19:42:42:250 3116 CreateRegParser: Registry parser init started
19:42:42:250 3116 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
19:42:42:250 3116 CreateRegParser: DisableWow64Redirection error
19:42:42:250 3116 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:42:42:250 3116 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
19:42:42:250 3116 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:42:42:250 3116 wfopen_ex: Trying to KLMD file open
19:42:42:250 3116 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
19:42:42:250 3116 wfopen_ex: File opened ok (Flags 2)
19:42:42:250 3116 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3B48A0
19:42:42:250 3116 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:42:42:250 3116 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
19:42:42:250 3116 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:42:42:250 3116 wfopen_ex: Trying to KLMD file open
19:42:42:250 3116 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
19:42:42:250 3116 wfopen_ex: File opened ok (Flags 2)
19:42:42:250 3116 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3B4948
19:42:42:250 3116 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
19:42:42:250 3116 CreateRegParser: EnableWow64Redirection error
19:42:42:250 3116 CreateRegParser: RegParser init completed
19:42:42:593 3116 GetAdvancedServicesInfo: Raw services enum returned 391 services
19:42:42:625 3116 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:42:42:625 3116 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:42:42:625 3116
19:42:42:625 3116 Scanning Kernel memory ...
19:42:42:625 3116 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:42:42:625 3116 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AACC988
19:42:42:625 3116 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
19:42:42:625 3116
19:42:42:625 3116 DetectCureTDL3: DEVICE_OBJECT: 8AB5EC68
19:42:42:625 3116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB5EC68
19:42:42:625 3116 KLMD_ReadMem: Trying to ReadMemory 0x8AB5EC68[0x38]
19:42:42:625 3116 DetectCureTDL3: DRIVER_OBJECT: 8AACC988
19:42:42:625 3116 KLMD_ReadMem: Trying to ReadMemory 0x8AACC988[0xA8]
19:42:42:625 3116 KLMD_ReadMem: Trying to ReadMemory 0xE1C8C118[0x18]
19:42:42:625 3116 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:42:42:625 3116 DetectCureTDL3: IrpHandler (0) addr: BA12EBB0
19:42:42:625 3116 DetectCureTDL3: IrpHandler (1) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (2) addr: BA12EBB0
19:42:42:625 3116 DetectCureTDL3: IrpHandler (3) addr: BA128D1F
19:42:42:625 3116 DetectCureTDL3: IrpHandler (4) addr: BA128D1F
19:42:42:625 3116 DetectCureTDL3: IrpHandler (5) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (6) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (7) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (8) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (9) addr: BA1292E2
19:42:42:625 3116 DetectCureTDL3: IrpHandler (10) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (11) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (12) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (13) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (14) addr: BA1293BB
19:42:42:625 3116 DetectCureTDL3: IrpHandler (15) addr: BA12CF28
19:42:42:625 3116 DetectCureTDL3: IrpHandler (16) addr: BA1292E2
19:42:42:625 3116 DetectCureTDL3: IrpHandler (17) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (18) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (19) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (20) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (21) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (22) addr: BA12AC82
19:42:42:625 3116 DetectCureTDL3: IrpHandler (23) addr: BA12F99E
19:42:42:625 3116 DetectCureTDL3: IrpHandler (24) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (25) addr: 804F4562
19:42:42:625 3116 DetectCureTDL3: IrpHandler (26) addr: 804F4562
19:42:42:625 3116 TDL3_FileDetect: Processing driver: Disk
19:42:42:625 3116 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:42:42:625 3116 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:42:42:640 3116 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:42:42:640 3116
19:42:42:640 3116 DetectCureTDL3: DEVICE_OBJECT: 8AAC0AB8
19:42:42:640 3116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAC0AB8
19:42:42:640 3116 DetectCureTDL3: DEVICE_OBJECT: 8AAEAF18
19:42:42:640 3116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAEAF18
19:42:42:640 3116 DetectCureTDL3: DEVICE_OBJECT: 8AAD4D98
19:42:42:640 3116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAD4D98
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0x8AAD4D98[0x38]
19:42:42:640 3116 DetectCureTDL3: DRIVER_OBJECT: 8AB416A0
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0x8AB416A0[0xA8]
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0xE10188A8[0x1A]
19:42:42:640 3116 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:42:42:640 3116 DetectCureTDL3: IrpHandler (0) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (1) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (2) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (3) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (4) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (5) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (6) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (7) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (8) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (9) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (10) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (11) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (12) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (13) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (14) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (15) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (16) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (17) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (18) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (19) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (20) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (21) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (22) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (23) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (24) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (25) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: IrpHandler (26) addr: B9F14B3A
19:42:42:640 3116 DetectCureTDL3: All IRP handlers pointed to one addr: B9F14B3A
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0xB9F14B3A[0x400]
19:42:42:640 3116 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0x8AAC30B4[0x4]
19:42:42:640 3116 TDL3_IrpHookDetect: New IrpHandler addr: 8AAE38C8
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0x8AAE38C8[0x400]
19:42:42:640 3116 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
19:42:42:640 3116 Driver "atapi" Irp handler infected by TDSS rootkit ... 19:42:42:640 3116 KLMD_WriteMem: Trying to WriteMemory 0x8AAE394E[0xD]
19:42:42:640 3116 cured
19:42:42:640 3116 KLMD_ReadMem: Trying to ReadMemory 0xB9F12864[0x400]
19:42:42:640 3116 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:42:42:640 3116 TDL3_FileDetect: Processing driver: atapi
19:42:42:640 3116 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:42:42:640 3116 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
19:42:42:656 3116 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
19:42:42:656 3116 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 19:42:42:656 3116 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:42:42:656 3116 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
19:42:42:656 3116 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
19:42:42:687 3116 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp1.cab
19:42:42:703 3116 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
19:42:42:718 3116 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
19:42:42:750 3116 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
19:42:42:765 3116 CabinetCallback: File extracted successfully: C:\DOCUME~1\William\LOCALS~1\Temp\bckB3.tmp
19:42:42:765 3116 ValidateDriverFile: Stage 1 passed
19:42:42:765 3116 ValidateDriverFile: Stage 2 passed
19:42:42:796 3116 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
19:42:43:031 3116 DigitalSignVerifyByHandle: Cat DS result: 00000000
19:42:43:031 3116 ValidateDriverFile: Stage 3 passed
19:42:43:031 3116 CabinetCallback: File validated successfully, restore information prepared
19:42:43:031 3116 FindDriverFileBackup: Backup copy found in cab-file
19:42:43:031 3116 TDL3_FileCure: Backup copy found, using it..
19:42:43:031 3116 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskB4.tmp
19:42:43:078 3116 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskB4.tmp, system32\drivers\atapi.sys)
19:42:43:078 3116 TDL3_FileCure: KLMD jobs schedule success
19:42:43:078 3116 will be cured on next reboot
19:42:43:078 3116 UtilityBootReinit: Reboot required for cure complete..
19:42:43:078 3116 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
19:42:43:078 3116 UtilityBootReinit: KLMD drop success
19:42:43:078 3116 KLMD_ApplyPendList: Pending buffer(272B_3FF6, 608) dropped successfully
19:42:43:078 3116 UtilityBootReinit: Cure on reboot scheduled successfully
19:42:43:078 3116
19:42:43:078 3116 Completed
19:42:43:078 3116
19:42:43:078 3116 Results:
19:42:43:078 3116 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
19:42:43:078 3116 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:42:43:078 3116 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:42:43:078 3116
19:42:43:078 3116 UnloadDriverW: NtUnloadDriver error 1
19:42:43:078 3116 KLMD_Unload: UnloadDriverW(klmd21) error 1
19:42:43:093 3116 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:42:43:093 3116 UtilityDeinit: KLMD(ARK) unloaded successfully
willynilly is offline  
Old 02-15-2010, 01:12 PM   #14
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Sorry. Notepad details to follow.
willynilly is offline  
Old 02-15-2010, 01:20 PM   #15
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Herewith notepad.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
willynilly is offline  
Old 02-15-2010, 01:45 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Have the redirects stopped now?

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2010, 01:54 PM   #17
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Hooray. The redirects seem to have gone. Herewith requested file

Act of War - Direct Action
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9.3
Adobe Shockwave Player 11
AMD Processor Driver
Apple Software Update
ArmA 2 Uninstall
ArmA Uninstall
Ashampoo WinOptimizer 6.60
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Avanquest update
Battlefield 1942
Battlefield 2(TM)
Battlefield 2: Special Forces
Battlefield Vietnam(TM)
Battlefield Vietnam: WW2 Mod
BattlEye Uninstall
Belarc Advisor 7.2
Blitzkrieg 2
BlueSoleil
C-Media 6501 Sound
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint
CapMan
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCenter
CCleaner
COMODO Internet Security
Company of Heroes
Critical Update for Windows Media Player 11 (KB959772)
Defcon Patch 1.43
Easy-WebPrint
Euro Truck Simulator
Far Cry 2
GTA San Andreas
HD Tune 2.55
Hidden & Dangerous 2
Hidden & Dangerous 2 Patch
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Java Auto Updater
Java(TM) 6 Update 18
Macrium Reflect - Free Edition
Medal of Honor Pacific Assault(tm)
Men of War (Remove Only)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Combat Flight Simulator 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Motorola Phone Tools
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Premium
Nikon Scan
NVIDIA Drivers
NVIDIA PhysX v8.04.25
OF Dragon Rising
OLYMPUS CAMEDIA Master 4.2
OpenAL
Opera 10.10
PC Suite
PCI Audio Driver
PunkBuster for Battlefield Vietnam
PunkBuster Services
Registry Mechanic 8.0
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Silent Hunter II
SilverFast NikonSF-SE 6.6.0r5
Skins
Sniper: Art of Victory
Sony Ericsson MMS Home Studio
Sony Ericsson Mobile Networking Wizard
Sony Ericsson Mobile Phone Monitor
Sony Ericsson OCS
Sony Ericsson PC Suite 4.010.00
Sony Ericsson Sound Editor
Sony Ericsson Sync Station
Spybot - Search & Destroy
SRWare Iron 3.0.197.0
Steam
Tom Clancy's Rainbow Six Vegas 2
TrojanHunter 5.2
Ulead VideoStudio SE DVD
Unlocker 1.8.7
Update 1.11.3.0 for "Men of War"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VueScan
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2009
willynilly is offline  
Old 02-15-2010, 02:02 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, willynilly. Did you successfully uninstall avast?

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
dir /a /s "c:\documents and settings\All Users\Application Data\78672737" > log.txt
notepad log.txt
del peek.bat
Save this as peek.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2010, 02:13 PM   #19
Guest
 
Join Date: Sep 2008
Posts: 25
OS:



Hi chemist

Can't do a thing with Avast. It is still in the system tray with the red circle in it. It won't open or update. There is no sign of it in add/remove programs.

Volume in drive C has no label.
Volume Serial Number is ECB4-5985

Directory of c:\documents and settings\All Users\Application Data\78672737

15/01/2010 00:31 <DIR> .
15/01/2010 00:31 <DIR> ..
08/01/2010 13:10 415 78672737.bat
1 File(s) 415 bytes

Total Files Listed:
1 File(s) 415 bytes
2 Dir(s) 46,077,505,536 bytes free
willynilly is offline  
Old 02-15-2010, 02:14 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, willynilly. Please run dds again and post the first log, DDS.txt, in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:10 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts