6 replies to this topic

[tekmaster]

hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:23 PM, on 9/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\UltraMon\UltraMon.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\AIM6\aim6.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [itype] "D:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\JB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - D:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229315438812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229315425578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - D:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - D:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10041 bytes

Rootrepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 22:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA660000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: D:\WINDOWS\System32\drivers\afd.sys
Address: 0xAE6D3000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AFS2K.SYS
Image Path: D:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xB9EB1000 Size: 35840 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: D:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xB8E8C000 Size: 2297664 File Visible: - Signed: -
Status: -

Name: ASACPI.sys
Image Path: D:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xBADF2000 Size: 5152 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA5F2000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: D:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA9000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: D:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAE82000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: D:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xACF14000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: D:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xAD18F000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: D:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xAE736000 Size: 101888 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: D:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBADBA000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: D:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: D:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xAD0C1000 Size: 63744 File Visible: - Signed: -
Status: -

Name: Cdr4_xp.SYS
Image Path: D:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Address: 0xB19C5000 Size: 2432 File Visible: - Signed: -
Status: -

Name: Cdralw2k.SYS
Image Path: D:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xB19C4000 Size: 2560 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: D:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB9EA1000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA8E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA8D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DLABOIOM.SYS
Image Path: D:\WINDOWS\System32\DLA\DLABOIOM.SYS
Address: 0xA7E52000 Size: 25664 File Visible: - Signed: -
Status: -

Name: DLACDBHM.SYS
Image Path: D:\WINDOWS\System32\Drivers\DLACDBHM.SYS
Address: 0xBADEE000 Size: 5600 File Visible: - Signed: -
Status: -

Name: DLADResN.SYS
Image Path: D:\WINDOWS\System32\DLA\DLADResN.SYS
Address: 0xBAF69000 Size: 2432 File Visible: - Signed: -
Status: -

Name: DLAIFS_M.SYS
Image Path: D:\WINDOWS\System32\DLA\DLAIFS_M.SYS
Address: 0xA730D000 Size: 86784 File Visible: - Signed: -
Status: -

Name: DLAOPIOM.SYS
Image Path: D:\WINDOWS\System32\DLA\DLAOPIOM.SYS
Address: 0xB932C000 Size: 14656 File Visible: - Signed: -
Status: -

Name: DLAPoolM.SYS
Image Path: D:\WINDOWS\System32\DLA\DLAPoolM.SYS
Address: 0xBADB2000 Size: 6304 File Visible: - Signed: -
Status: -

Name: DLARTL_N.SYS
Image Path: D:\WINDOWS\System32\Drivers\DLARTL_N.SYS
Address: 0xB30A4000 Size: 22624 File Visible: - Signed: -
Status: -

Name: DLAUDF_M.SYS
Image Path: D:\WINDOWS\System32\DLA\DLAUDF_M.SYS
Address: 0xA72DF000 Size: 88416 File Visible: - Signed: -
Status: -

Name: DLAUDFAM.SYS
Image Path: D:\WINDOWS\System32\DLA\DLAUDFAM.SYS
Address: 0xA72F5000 Size: 94400 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xBA60A000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xBADAC000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: D:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBAAB8000 Size: 61440 File Visible: - Signed: -
Status: -

Name: DRVMCDB.SYS
Image Path: DRVMCDB.SYS
Address: 0xBA593000 Size: 87104 File Visible: - Signed: -
Status: -

Name: DRVNDDM.SYS
Image Path: D:\WINDOWS\System32\Drivers\DRVNDDM.SYS
Address: 0xB6F09000 Size: 38304 File Visible: - Signed: -
Status: -

Name: dump_nvata.sys
Image Path: D:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xA7E01000 Size: 94208 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: D:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE50000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: D:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xAE66F000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: D:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: D:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xA7FDC000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: D:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xB2BE4000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xBA5BB000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: D:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBADB8000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA630000 Size: 125056 File Visible: - Signed: -
Status: -

Name: gameenum.sys
Image Path: D:\WINDOWS\system32\DRIVERS\gameenum.sys
Address: 0xBAD5C000 Size: 10624 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: D:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xB2BC4000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xB309C000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: D:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB1C20000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HPZid412.sys
Image Path: D:\WINDOWS\system32\DRIVERS\HPZid412.sys
Address: 0xAD570000 Size: 50816 File Visible: - Signed: -
Status: -

Name: HPZipr12.sys
Image Path: D:\WINDOWS\system32\DRIVERS\HPZipr12.sys
Address: 0xAD65B000 Size: 16224 File Visible: - Signed: -
Status: -

Name: HPZius12.sys
Image Path: D:\WINDOWS\system32\DRIVERS\HPZius12.sys
Address: 0xB254A000 Size: 21472 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: D:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA65FA000 Size: 264832 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: D:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB9EC1000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: D:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAE5C9000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: D:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAE7A8000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: D:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAC28000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: D:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xAD7CD000 Size: 14592 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: D:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: D:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA5819000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: D:\WINDOWS\system32\drivers\ks.sys
Address: 0xB8E45000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA57C000 Size: 92288 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: D:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBADBC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: D:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAC30000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: D:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB1C1C000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8B8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: D:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAE5EF000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: D:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xB308C000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: D:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB9E41000 Size: 35072 File Visible: - Signed: -
Status: -

Name: msmpu401.sys
Image Path: D:\WINDOWS\system32\drivers\msmpu401.sys
Address: 0xBAE81000 Size: 2944 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: D:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBAD7C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA4A8000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xBA4C2000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: D:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBAD60000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: D:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xBAD90000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: D:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB8752000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: D:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB3AC2000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: D:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xB2BF4000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: D:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAE6F5000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: D:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xB3084000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA4EF000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: D:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: D:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB19C3000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: D:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 6111232 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: D:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB8791000 Size: 6557408 File Visible: - Signed: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xBA5DB000 Size: 92800 File Visible: - Signed: -
Status: -

Name: NVENETFD.sys
Image Path: D:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xB2C14000 Size: 33536 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: D:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xBAD54000 Size: 12928 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB8E05000 Size: 262144 File Visible: - Signed: -
Status: -

Name: NVSNPU.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xB8DD2000 Size: 208896 File Visible: - Signed: -
Status: -

Name: NVTcp.sys
Image Path: D:\WINDOWS\System32\DRIVERS\NVTcp.sys
Address: 0xAE71D000 Size: 100096 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: D:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB8769000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB30000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: D:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xAD018000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xBA64F000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCI_PNP6808
Image Path: \Driver\PCI_PNP6808
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBAE70000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcouffin.sys
Image Path: D:\WINDOWS\System32\Drivers\pcouffin.sys
Address: 0xB9E31000 Size: 47360 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: D:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB8E68000 Size: 147456 File Visible: - Signed: -
Status: -

Name: processr.sys
Image Path: D:\WINDOWS\system32\DRIVERS\processr.sys
Address: 0xBAAA8000 Size: 35840 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: D:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB8741000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: D:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAC18000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA8F8000 Size: 37376 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: D:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB1C50000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: D:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB9E71000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: D:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB9E61000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: D:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB9E51000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: D:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAC20000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: D:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAE687000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: D:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBADBE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: D:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB8711000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: D:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB9E91000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6412000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xB307C000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xAE6B2000 Size: 135168 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: D:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xBA68E000 Size: 98304 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: D:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBAD58000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: D:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB9E81000 Size: 64512 File Visible: - Signed: -
Status: -

Name: spob.sys
Image Path: spob.sys
Address: 0xBA6A6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xBA5A9000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: D:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA6FD0000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: D:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADF4000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: D:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB6F39000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: D:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAE74F000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAC10000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: D:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB9171000 Size: 40704 File Visible: - Signed: -
Status: -

Name: UltraMonUtility.sys
Image Path: D:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys
Address: 0xA6A0B000 Size: 10496 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: D:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB86B3000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: D:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xB255A000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBADF6000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: D:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBAC08000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: D:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xB9161000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: D:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xBAC00000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB90BD000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbprint.sys
Image Path: D:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xB2552000 Size: 25856 File Visible: - Signed: -
Status: -

Name: usbscan.sys
Image Path: D:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xB1C18000 Size: 15104 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: D:\WINDOWS\System32\drivers\vga.sys
Address: 0xB3094000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: D:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB877D000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA8C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: D:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xB2BD4000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: D:\WINDOWS\System32\watchdog.sys
Address: 0xA853A000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: D:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA7252000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: D:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: D:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: D:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xB1C40000 Size: 12032 File Visible: - Signed: -
Status: -

malwarebytes
Malwarebytes' Anti-Malware 1.40
Database version: 2741
Windows 5.1.2600 Service Pack 3

9/4/2009 10:30:55 PM
mbam-log-2009-09-04 (22-30-55).txt

Scan type: Quick Scan
Objects scanned: 102514
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmovddsqli (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ive tried getting this removed many times but every time i reboot and re-scan it with malwarebytes its still there.

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[tekmaster]

ComboFix 09-09-04.02 - JB 09/05/2009 2:34.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1552 [GMT -7:00]
Running from: d:\documents and settings\JB\Desktop\Anti Spyware Programs\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\cleanup.exe
d:\documents and settings\JB\Application Data\inst.exe
d:\windows\system32\chvvqafa.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmovddsqli
-------\Legacy_TDSSSERV.SYS
-------\Service_kbiwkmovddsqli
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-05 08:07 . 2009-09-05 08:07 -------- d--h--w- d:\windows\system32\GroupPolicy
2009-09-04 17:59 . 2009-09-04 17:59 0 ----a-w- D:\backup.reg
2009-09-04 17:59 . 2009-09-04 17:59 574 ----a-w- D:\cleanup.bat
2009-09-04 17:59 . 2009-09-04 17:59 135168 ----a-w- D:\zip.exe
2009-09-04 13:03 . 2009-09-04 15:44 11952 ----a-w- d:\windows\system32\avgrsstx.dll
2009-09-04 13:03 . 2009-09-04 15:43 108552 ----a-w- d:\windows\system32\drivers\avgtdix.sys
2009-09-04 13:03 . 2009-09-04 15:44 335240 ----a-w- d:\windows\system32\drivers\avgldx86.sys
2009-09-04 13:03 . 2009-09-04 15:44 27784 ----a-w- d:\windows\system32\drivers\avgmfx86.sys
2009-09-04 13:03 . 2009-09-05 01:04 -------- d-----w- d:\windows\system32\drivers\Avg
2009-09-04 13:03 . 2009-09-04 13:03 -------- d-----w- d:\program files\AVG
2009-09-04 13:03 . 2009-09-04 13:03 -------- d-----w- d:\documents and settings\All Users\Application Data\avg8
2009-09-04 12:51 . 2009-09-04 12:51 -------- d-----w- d:\windows\system32\wbem\Repository
2009-09-04 11:25 . 2009-09-05 01:16 -------- d-----w- D:\$AVG8.VAULT$
2009-09-04 11:11 . 2009-09-04 11:11 -------- d-----w- d:\windows\system32\drivers\Avg(2)
2009-09-04 11:10 . 2009-09-04 12:51 -------- d-----w- d:\program files\AVG(2)
2009-09-04 11:10 . 2009-09-04 12:51 -------- d-----w- d:\documents and settings\All Users\Application Data\avg8(2)
2009-08-28 22:29 . 2009-08-28 22:29 -------- d-----w- d:\documents and settings\JB\Application Data\MyScribe
2009-08-28 22:28 . 2009-08-28 22:28 -------- d-----w- d:\program files\CafeScribe
2009-08-25 12:39 . 2009-08-28 01:16 -------- d-----w- d:\program files\InterActual
2009-08-23 11:15 . 2009-08-23 11:15 -------- d-sh--w- d:\documents and settings\LocalService\IETldCache
2009-08-18 09:52 . 2009-08-18 09:52 -------- d-----w- d:\program files\YourWare Solutions
2009-08-18 09:39 . 2009-08-18 09:39 -------- d-----w- d:\documents and settings\JB\Application Data\TuneUp Software
2009-08-18 09:39 . 2009-08-18 09:39 -------- d-----w- d:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-18 09:39 . 2009-08-20 07:34 -------- d-----w- d:\program files\TuneUp Utilities 2009
2009-08-18 09:37 . 2009-08-18 09:37 -------- d-sh--w- d:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 07:40 . 2008-12-07 14:21 -------- d-----w- d:\documents and settings\JB\Application Data\StumbleUpon
2009-09-05 07:35 . 2008-09-09 07:27 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-05 07:34 . 2008-09-09 07:49 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-09-05 07:31 . 2009-05-14 05:10 -------- d-----w- d:\program files\Full Tilt Poker
2009-09-04 23:13 . 2009-07-17 07:13 -------- d-----w- d:\program files\PokerStars
2009-09-04 22:08 . 2008-09-09 08:08 -------- d-----w- d:\documents and settings\JB\Application Data\FileZilla
2009-09-04 12:51 . 2009-01-27 14:14 -------- d-----w- d:\documents and settings\JB\Application Data\dvdcss
2009-09-04 12:51 . 2008-09-09 08:20 -------- d-----w- d:\documents and settings\JB\Application Data\uTorrent
2009-09-04 11:35 . 2008-09-09 07:28 -------- d-----w- d:\program files\SpywareBlaster
2009-08-27 08:12 . 2008-09-09 02:47 -------- d-----w- d:\program files\FileZilla FTP Client
2009-08-09 10:16 . 2008-09-08 07:56 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-08-06 12:48 . 2008-09-10 11:39 -------- d-----w- d:\documents and settings\JB\Application Data\Move Networks
2009-08-04 12:18 . 2008-09-09 07:27 -------- d-----w- d:\program files\Spybot - Search & Destroy
2009-08-03 21:05 . 2008-12-20 16:25 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:36 . 2008-12-20 16:25 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2008-12-20 16:26 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-02 03:32 . 2009-01-05 09:58 -------- d-----w- d:\program files\SUPERAntiSpyware
2009-07-29 10:56 . 2009-01-23 08:38 8 ----a-w- d:\windows\system32\nvModes.dat
2009-07-19 23:58 . 2009-07-19 23:58 -------- d-----w- d:\documents and settings\JB\Application Data\Ahead
2009-07-16 13:15 . 2009-07-16 13:15 -------- d-----w- d:\program files\Alcohol Soft
2009-07-16 13:13 . 2009-07-16 13:13 721904 ----a-w- d:\windows\system32\drivers\sptd.sys
2009-07-16 12:38 . 2009-07-16 12:38 -------- d-----w- d:\documents and settings\JB\Application Data\Vso
2009-07-16 12:38 . 2009-07-16 12:38 47360 ----a-w- d:\windows\system32\drivers\pcouffin.sys
2009-07-16 12:38 . 2009-07-16 12:38 47360 ----a-w- d:\documents and settings\JB\Application Data\pcouffin.sys
2009-07-16 12:38 . 2009-07-16 12:38 -------- d-----w- d:\program files\DVDFab 6
2009-07-15 14:07 . 2008-12-08 11:32 -------- d-----w- d:\documents and settings\JB\Application Data\Apple Computer
2009-07-15 14:07 . 2008-10-12 04:04 -------- d-----w- d:\documents and settings\JB\Application Data\DivX
2009-07-15 14:00 . 2009-07-15 14:00 -------- d-----w- d:\program files\Alwil Software
2009-07-10 08:18 . 2008-10-07 11:53 -------- d-----w- d:\program files\DivX
2009-07-10 08:17 . 2009-07-10 08:17 -------- d-----w- d:\program files\Common Files\DivX Shared
2009-07-03 17:09 . 2004-08-04 04:56 915456 ----a-w- d:\windows\system32\wininet.dll
2009-06-23 08:49 . 2008-09-08 08:24 93968 ----a-w- d:\documents and settings\JB\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-08-07 00:16 81920 ----a-w- d:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 04:56 119808 ----a-w- d:\windows\system32\t2embed.dll
2008-07-02 12:13 . 2008-07-02 12:13 34112 ----a-w- d:\program files\nv4_disp.cat
2008-05-20 02:16 . 2008-05-20 02:16 40337 ----a-w- d:\program files\NvApps.xm_
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2009-02-24 04:07 163328 --sh--r- d:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-02-24 04:07 31232 --sh--r- d:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-02-24 04:07 216064 --sh--r- d:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="d:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="d:\documents and settings\JB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-06 133104]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="d:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="d:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-04 2007832]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2008-05-16 1630208]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - d:\windows\Installer\{1C94C999-15D2-4C75-9A73-BCC8A677D42E}\IcoUltraMon.ico [2009-2-23 29310]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-04 15:44 11952 ----a-w- d:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"e:\\Games\\Starcraft\\StarCraft.exe"=
"d:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"d:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [9/4/2009 6:03 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [9/4/2009 6:03 AM 108552]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 55024]
R2 UltraMonUtility;UltraMon Utility Driver;d:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 3:11 AM 17184]
S0 qpsd;qpsd;d:\windows\system32\drivers\smrar.sys --> d:\windows\system32\drivers\smrar.sys [?]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-20 d:\windows\Tasks\FRU Task 2002-12-04 03:40ewlett-Packard2002-12-04 03:40p officejet 6100 series324C9EBEBB389A3CB37E16C7992E8342068F8B15235168258.job
- d:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2002-12-04 03:40]

2009-09-04 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-412668190-839522115-1003Core.job
- d:\documents and settings\JB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-06 02:58]

2009-09-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-412668190-839522115-1003UA.job
- d:\documents and settings\JB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-06 02:58]

2009-09-05 d:\windows\Tasks\WGASetup.job
- d:\windows\system32\KB905474\wgasetup.exe [2009-05-12 05:18]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msiexec.exe - msiconf.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - d:\documents and settings\JB\Application Data\Mozilla\Firefox\Profiles\b5amuofn.default\
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: d:\documents and settings\JB\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: d:\documents and settings\JB\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: d:\documents and settings\JB\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: d:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: d:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 02:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1596)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(836)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\program files\UltraMon\RTSUltraMonHook.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\progra~1\AVG\AVG8\avgwdsvc.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
d:\windows\system32\rundll32.exe
d:\program files\UltraMon\UltraMon.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
d:\program files\UltraMon\UltraMonTaskbar.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
d:\program files\AVG\AVG8\avgrsx.exe
d:\windows\system32\nvsvc32.exe
d:\progra~1\AVG\AVG8\avgnsx.exe
d:\program files\Viewpoint\Common\ViewpointService.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
.
**************************************************************************
.
Completion time: 2009-09-05 2:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 09:48

Pre-Run: 9,852,424,192 bytes free
Post-Run: 9,787,588,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

254 --- E O F --- 2009-07-29 10:00

[miekiemoes]

Hi,

Go to start > run and copy and paste next command in the field:

sc delete qpsd

Hit enter.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[tekmaster]

miekiemoes, on Sep 5 2009, 03:20 PM, said:

Hi,

Go to start > run and copy and paste next command in the field:

sc delete qpsd

Hit enter.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

seems to be resolved now and computer seems a little more quicker! thanks for your assistance

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.