vileside

I'd like to thank you for all your time and effort. It's been a long road hehe.

Also, "(cmz vmkd) Virtual Bus" wasn't on the list this time.

Computer seems to be running well. ComboFix downloaded the Recovery Console as well. Here's the log: ComboFix 11-01-03.01 - Shane Mascho 01/03/2011 14:38:10.2.1 - x86 Running from: c:\documents and settings\Shane Mascho\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Shane Mascho\Desktop\CFScript.txt * Created a new restore point FILE :: "c:\docume~1\SHANEM~1\LOCALS~1\Temp\pfsvgae.sys" "c:\program files\Knowledge Networks\PanelApp\PanelSvc.exe" "c:\windows\system32\drivers\brewlzmq.sys" "c:\windows\system32\drivers\ezozdlir.sys" "c:\windows\system32\DRIVERS\nielprt.sys" "c:\windows\System32\drivers\xmlvps.sys" file zipped: c:\windows\system32\24B5B6B8.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\24B5B6B8.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_24B5B6B8 -------\Legacy_DEDC -------\Legacy_PANELSVC -------\Legacy_PFSVGAE -------\Service_24B5B6B8 -------\Service_brewlzmq -------\Service_dedc -------\Service_ezozdlir -------\Service_PanelSvc -------\Service_pfsvgae -------\Service_uurb -------\Service_vbmad7bc ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 ))))))))))))))))))))))))))))))) . 2011-01-03 19:25 . 2008-04-14 00:12 57856 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe 2011-01-03 19:25 . 2008-04-14 00:12 57856 ----a-w- c:\windows\system32\spoolsv.exe 2011-01-03 03:07 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{90108D1C-88A4-4231-B98B-9FE695F641F9}\mpengine.dll 2011-01-02 23:41 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-01-02 23:13 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-02 23:13 . 2011-01-02 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-01-02 23:13 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-01 01:10 . 2011-01-01 01:10 -------- d-----w- C:\AeriaGames 2010-12-31 19:55 . 2010-12-31 20:04 -------- d-----w- c:\program files\2029 2010-12-31 18:58 . 2010-12-31 19:54 -------- d-----w- C:\2029 2010-12-31 18:38 . 2011-01-03 19:48 -------- d-----w- c:\program files\Common Files\Akamai 2010-12-31 13:47 . 2011-01-03 01:53 -------- d-----w- c:\program files\CABAL Online (US) 2010-12-30 00:34 . 2010-12-30 00:34 -------- d-----w- c:\program files\ESET 2010-12-29 03:50 . 2010-12-29 03:55 -------- d-----w- c:\program files\Microsoft Security Client 2010-12-29 03:28 . 2010-12-29 03:30 -------- d-----w- c:\program files\DarkSwords 2010-12-28 23:19 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2010-12-28 21:28 . 2010-12-28 21:28 -------- d-----w- c:\program files\FileASSASSIN 2010-12-28 19:13 . 2010-12-28 19:34 -------- d-----w- c:\windows\system32\NtmsData 2010-12-28 19:04 . 2010-12-28 19:04 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\DAEMON Tools 2010-12-28 19:04 . 2010-12-28 19:04 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\DAEMON Tools Pro 2010-12-28 19:04 . 2010-12-28 19:04 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\DAEMON Tools Lite 2010-12-28 16:56 . 2010-12-28 17:22 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\ImgBurn 2010-12-28 14:13 . 2010-12-28 14:13 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\Avira 2010-12-27 01:11 . 2010-12-27 04:47 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\Huby 2010-12-27 00:37 . 2010-12-30 00:27 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\Malwarebytes 2010-12-26 23:33 . 2010-12-26 23:50 -------- d-----w- c:\program files\a-squared Free 2010-12-26 22:41 . 2010-12-26 22:41 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\SUPERAntiSpyware.com 2010-12-26 22:41 . 2010-12-26 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-12-26 22:34 . 2010-12-26 22:36 12546056 ----a-w- C:\SAS_7112.COM 2010-12-26 22:23 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll 2010-12-08 20:55 . 2010-12-29 03:53 -------- d-----w- c:\program files\Microsoft Security Essentials 2010-12-08 19:36 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2010-12-08 19:35 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-12-08 19:34 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-12-08 05:57 . 2010-12-09 18:32 571 ----a-w- c:\documents and settings\LocalService\Application Data\wert2.exe 2010-12-08 01:53 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-12-06 23:00 . 2010-12-06 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-12-05 02:11 . 2010-12-05 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\uTorrentBar 2010-12-05 02:11 . 2010-12-05 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-18 18:12 . 2009-01-29 14:22 81920 ----a-w- c:\windows\system32\isign32.dll 2010-11-06 18:50 . 2010-11-06 18:50 1409 ----a-w- c:\windows\QTFont.for 2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-11-06 00:26 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys 2010-10-25 02:25 . 2010-03-26 02:30 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2010-10-19 20:51 . 2009-11-27 08:19 222080 ------w- c:\windows\system32\MpSigStub.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdloader"="c:\documents and settings\Shane Mascho\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SGETask.lnk] backup=c:\windows\pss\SGETask.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk backup=c:\windows\pss\WDDMStatus.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk backup=c:\windows\pss\WDSmartWare.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Shane Mascho^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Shane Mascho\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Shane Mascho^Start Menu^Programs^Startup^MagicDisc.lnk] backup=c:\windows\pss\MagicDisc.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] 2004-10-01 00:44 7957504 ----a-w- c:\program files\VIAudioi\SBADeck\ADeck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2007-06-28 03:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] 2010-12-03 12:39 50592 ----a-w- c:\documents and settings\Shane Mascho\Application Data\mjusbsp\cdloader2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2] 2008-04-24 20:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-10-15 18:36 136176 ----atw- c:\documents and settings\Shane Mascho\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2007-03-01 23:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-07-09 20:24 110696 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2010-07-08 03:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PanelApp] 2009-12-30 15:03 31232 ----a-w- c:\documents and settings\Shane Mascho\Local Settings\Application Data\Knowledge Networks\PanelApp\PanelApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] 2009-01-26 20:31 2144088 --sha-r- r:\spybot - search & destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-02-08 17:59 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] 2004-11-15 23:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\BitLord\\BitLord.exe"= "c:\\Program Files\\dopewars-1.5.12\\dopewars.exe"= "c:\\Program Files\\Team Craxtion\\Craxtion4\\Craxtion.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= "c:\\Program Files\\Excelsior Freeshard\\Ultima Online - Excelsior Shard\\client.exe"= "c:\\Documents and Settings\\Shane Mascho\\Application Data\\mjusbsp\\magicJack.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23364:TCP"= 23364:TCP:SPF Port 23364 TCP "52006:TCP"= 52006:TCP:SPF Port 52006 TCP "56514:TCP"= 56514:TCP:Pando Media Booster "56514:UDP"= 56514:UDP:Pando Media Booster "58802:TCP"= 58802:TCP:Pando Media Booster "58802:UDP"= 58802:UDP:Pando Media Booster "1034:TCP"= 1034:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface R0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys [x] R1 SASDIFSV;SASDIFSV;c:\docume~1\SHANEM~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x] R1 SASKUTIL;SASKUTIL;c:\docume~1\SHANEM~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [x] R2 Viewpoint Manager Service;Viewpoint Manager Service; [x] R3 dopewars-server;dopewars server;c:\program files\dopewars-1.5.12\dopewars.exe [2009-05-11 301056] R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x] R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x] R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232] R3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [x] R3 Normandy;Normandy SR2; [x] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-03-16 3532120] R3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys [2001-01-03 19677] R3 XDva224;XDva224;c:\windows\system32\XDva224.sys [x] R3 XDva351;XDva351;c:\windows\system32\XDva351.sys [x] R3 XDva356;XDva356;c:\windows\system32\XDva356.sys [x] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-02-19 717296] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-04-14 14336] S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-05-31 266240] S2 VideoSrv;Windows Video;c:\windows\System32\svchost.exe [2008-04-14 14336] S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592] S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 Akamai REG_MULTI_SZ Akamai HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs VideoSrv . Contents of the 'Scheduled Tasks' folder 2011-01-03 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = www.google.com mWindow Title = Windows Internet Explorer provided by Comcast FF - ProfilePath - c:\documents and settings\Shane Mascho\Application Data\Mozilla\Firefox\Profiles\ttlz6tlk.default\ FF - prefs.js: browser.search.selectedEngine - Search the Web FF - prefs.js: browser.startup.homepage - www.google.com FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=63175&p= FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-03 14:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(752) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wdfmgr.exe . ************************************************************************** . Completion time: 2011-01-03 14:56:52 - machine was rebooted ComboFix-quarantined-files.txt 2011-01-03 19:56 ComboFix2.txt 2011-01-03 01:21 Pre-Run: 1,535,520,768 bytes free Post-Run: 1,525,817,344 bytes free - - End Of File - - AC0B0F6065065DDF20E30EA1AFFEF218

MBAM did not detect any other threats and ComboFix was able to run but was not able to download the Recovery Console, it kept saying there was no internet connection. Checked all the proxy settings and everything looked fine. ComboFix did run a scan though and here are the results: ComboFix 10-12-29.01 - Shane Mascho 01/02/2011 20:00:59.1.1 - x86 Running from: c:\documents and settings\Shane Mascho\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\.wtav c:\documents and settings\All Users\Application Data\oBiBi06300 c:\documents and settings\All Users\Application Data\oBiBi06300\oBiBi06300 c:\documents and settings\All Users\Application Data\oBiBi06300\oBiBi06300.exe c:\documents and settings\All Users\Application Data\Toolbar4 c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\basis.xml c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bg.bmp c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bing_logo.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\celebrity.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_images.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_maps.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_news.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_videos.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_web.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\facebook.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\favicon.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\games.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\hotmail.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\icon.ico c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\images.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\include.xml c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\info.txt c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\lifestyle.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\maps.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\messenger.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\msn.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\news.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\twitter.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\uninstall.exe c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\update.exe c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\version.txt c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\video.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\videos.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\weather.png c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\web.png c:\documents and settings\Shane Mascho\Application Data\inst.exe c:\windows\assembly\GAC\__AssemblyInfo__.ini c:\windows\system32\AutoRun.inf c:\windows\system32\drivers\npf.sys c:\windows\system32\Packet.dll G:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 ))))))))))))))))))))))))))))))) . 2011-01-02 23:41 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-01-02 23:40 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4B424E8D-1DDB-40DA-9764-ACEF2DF988F5}\mpengine.dll 2011-01-02 23:13 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-02 23:13 . 2011-01-02 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-01-02 23:13 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-01 01:10 . 2011-01-01 01:10 -------- d-----w- C:\AeriaGames 2010-12-31 19:55 . 2010-12-31 20:04 -------- d-----w- c:\program files\2029 2010-12-31 18:58 . 2010-12-31 19:54 -------- d-----w- C:\2029 2010-12-31 18:38 . 2011-01-03 01:11 -------- d-----w- c:\program files\Common Files\Akamai 2010-12-31 13:47 . 2011-01-02 00:17 -------- d-----w- c:\program files\CABAL Online (US) 2010-12-30 00:56 . 2010-12-30 00:56 6656 ----a-w- c:\windows\system32\24B5B6B8.exe 2010-12-30 00:34 . 2010-12-30 00:34 -------- d-----w- c:\program files\ESET 2010-12-29 03:50 . 2010-12-29 03:55 -------- d-----w- c:\program files\Microsoft Security Client 2010-12-29 03:28 . 2010-12-29 03:30 -------- d-----w- c:\program files\DarkSwords 2010-12-28 23:19 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2010-12-28 21:28 . 2010-12-28 21:28 -------- d-----w- c:\program files\FileASSASSIN 2010-12-28 19:13 . 2010-12-28 19:34 -------- d-----w- c:\windows\system32\NtmsData 2010-12-28 19:04 . 2010-12-28 19:04 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\DAEMON Tools 2010-12-28 19:04 . 2010-12-28 19:04 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\DAEMON Tools Pro 2010-12-28 19:04 . 2010-12-28 19:04 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\DAEMON Tools Lite 2010-12-28 16:56 . 2010-12-28 17:22 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\ImgBurn 2010-12-28 14:13 . 2010-12-28 14:13 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\Avira 2010-12-27 01:11 . 2010-12-27 04:47 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\Huby 2010-12-27 00:37 . 2010-12-30 00:27 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\Malwarebytes 2010-12-26 23:33 . 2010-12-26 23:50 -------- d-----w- c:\program files\a-squared Free 2010-12-26 22:41 . 2010-12-26 22:41 -------- d-----w- c:\documents and settings\Shane Mascho\Application Data\SUPERAntiSpyware.com 2010-12-26 22:41 . 2010-12-26 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-12-26 22:34 . 2010-12-26 22:36 12546056 ----a-w- C:\SAS_7112.COM 2010-12-26 22:23 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll 2010-12-08 20:55 . 2010-12-29 03:53 -------- d-----w- c:\program files\Microsoft Security Essentials 2010-12-08 19:36 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2010-12-08 19:35 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-12-08 19:34 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-12-08 05:57 . 2010-12-09 18:32 571 ----a-w- c:\documents and settings\LocalService\Application Data\wert2.exe 2010-12-08 01:53 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-12-06 23:00 . 2010-12-06 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-12-05 02:11 . 2010-12-05 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\uTorrentBar 2010-12-05 02:11 . 2010-12-05 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple 2010-12-04 13:15 . 2010-12-04 13:15 -------- d-----w- c:\program files\Winamp Detect . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-18 18:12 . 2009-01-29 14:22 81920 ----a-w- c:\windows\system32\isign32.dll 2010-11-06 18:50 . 2010-11-06 18:50 1409 ----a-w- c:\windows\QTFont.for 2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-11-06 00:26 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys 2010-10-25 02:25 . 2010-03-26 02:30 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2010-10-19 20:51 . 2009-11-27 08:19 222080 ------w- c:\windows\system32\MpSigStub.exe . ------- Sigcheck ------- [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\spoolsv.exe [7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe c:\windows\System32\spoolsv.exe ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdloader"="c:\documents and settings\Shane Mascho\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SGETask.lnk] backup=c:\windows\pss\SGETask.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk backup=c:\windows\pss\WDDMStatus.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk backup=c:\windows\pss\WDSmartWare.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Shane Mascho^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Shane Mascho\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Shane Mascho^Start Menu^Programs^Startup^MagicDisc.lnk] backup=c:\windows\pss\MagicDisc.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCShowBuzz [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] 2004-10-01 00:44 7957504 ----a-w- c:\program files\VIAudioi\SBADeck\ADeck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2007-06-28 03:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] 2010-12-03 12:39 50592 ----a-w- c:\documents and settings\Shane Mascho\Application Data\mjusbsp\cdloader2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2] 2008-04-24 20:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-10-15 18:36 136176 ----atw- c:\documents and settings\Shane Mascho\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2007-03-01 23:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-07-09 20:24 110696 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2010-07-08 03:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PanelApp] 2009-12-30 15:03 31232 ----a-w- c:\documents and settings\Shane Mascho\Local Settings\Application Data\Knowledge Networks\PanelApp\PanelApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] 2009-01-26 20:31 2144088 --sha-r- r:\spybot - search & destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-02-08 17:59 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] 2004-11-15 23:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\BitLord\\BitLord.exe"= "c:\\Program Files\\dopewars-1.5.12\\dopewars.exe"= "c:\\Program Files\\Team Craxtion\\Craxtion4\\Craxtion.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= "c:\\Program Files\\Excelsior Freeshard\\Ultima Online - Excelsior Shard\\client.exe"= "c:\\Documents and Settings\\Shane Mascho\\Application Data\\mjusbsp\\magicJack.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23364:TCP"= 23364:TCP:SPF Port 23364 TCP "52006:TCP"= 52006:TCP:SPF Port 52006 TCP "56514:TCP"= 56514:TCP:Pando Media Booster "56514:UDP"= 56514:UDP:Pando Media Booster "58802:TCP"= 58802:TCP:Pando Media Booster "58802:UDP"= 58802:UDP:Pando Media Booster "1034:TCP"= 1034:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface R0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys [x] R0 uurb;uurb;c:\windows\System32\drivers\xmlvps.sys [x] R1 brewlzmq;brewlzmq;c:\windows\system32\drivers\brewlzmq.sys [x] R1 dedc;dedc; [x] R1 ezozdlir;ezozdlir;c:\windows\system32\drivers\ezozdlir.sys [x] R1 SASDIFSV;SASDIFSV;c:\docume~1\SHANEM~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x] R1 SASKUTIL;SASKUTIL;c:\docume~1\SHANEM~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [x] R2 Viewpoint Manager Service;Viewpoint Manager Service; [x] R3 24B5B6B8;24B5B6B8;c:\windows\system32\24B5B6B8.exe [2010-12-30 6656] R3 dopewars-server;dopewars server;c:\program files\dopewars-1.5.12\dopewars.exe [2009-05-11 301056] R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x] R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x] R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232] R3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [x] R3 Normandy;Normandy SR2; [x] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-03-16 3532120] R3 PanelSvc;PanelSvc;c:\program files\Knowledge Networks\PanelApp\PanelSvc.exe [x] R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 19056] R3 pfsvgae;pfsvgae;c:\docume~1\SHANEM~1\LOCALS~1\Temp\pfsvgae.sys [x] R3 vbmad7bc;Virtual Bus for Microsoft ACPI-Compliant System; [x] R3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys [2001-01-03 19677] R3 XDva224;XDva224;c:\windows\system32\XDva224.sys [x] R3 XDva351;XDva351;c:\windows\system32\XDva351.sys [x] R3 XDva356;XDva356;c:\windows\system32\XDva356.sys [x] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-02-19 717296] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-04-14 14336] S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-05-31 266240] S2 VideoSrv;Windows Video;c:\windows\System32\svchost.exe [2008-04-14 14336] S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592] S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 Akamai REG_MULTI_SZ Akamai HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs VideoSrv . Contents of the 'Scheduled Tasks' folder 2011-01-03 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26] 2011-01-03 c:\windows\Tasks\MpIdleTask.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = www.google.com mWindow Title = Windows Internet Explorer provided by Comcast FF - ProfilePath - c:\documents and settings\Shane Mascho\Application Data\Mozilla\Firefox\Profiles\ttlz6tlk.default\ FF - prefs.js: browser.search.selectedEngine - Search the Web FF - prefs.js: browser.startup.homepage - www.google.com FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=63175&p= FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file) BHO-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file) Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file) Toolbar-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file) Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file) WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file) SafeBoot-klmdb.sys SafeBoot-Wdf01000.sys MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe MSConfigStartUp-conhost - c:\documents and settings\Shane Mascho\Application Data\Microsoft\conhost.exe MSConfigStartUp-mmwfmqvf - c:\docume~1\SHANEM~1\LOCALS~1\Temp\ljljhdjgp\xpirgvptsbl.exe MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe MSConfigStartUp-PeerGuardian - c:\program files\PeerGuardian2\pg2.exe MSConfigStartUp-Raptr - c:\progra~1\Raptr\raptrstub.exe MSConfigStartUp-svchost - c:\documents and settings\Shane Mascho\Application Data\Microsoft\svchost.exe MSConfigStartUp-VerizonServicepoint - c:\program files\Verizon\VSP\VerizonServicepoint.exe MSConfigStartUp-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe MSConfigStartUp-{D8394E8D-997D-EEBE-E62E-26B1E1DDFA9A} - c:\documents and settings\Shane Mascho\Application Data\Sivod\lutoa.exe AddRemove-Gekkeiju Online - c:\windows\GPInstall.exe AddRemove-Heroes of Might and Magic

Rebooted and checked the system devices again, it was enabled. Disabled, installed and updated MBAM and did a quick scan. It worked! Here's the log from that: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5445 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/2/2011 6:21:11 PM mbam-log-2011-01-02 (18-21-11).txt Scan type: Quick scan Objects scanned: 144619 Time elapsed: 5 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF} (Trojan.Agent.Max) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\qnpn7rjv93lf (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\WinSxS\x86_microsoft.windows.shell.hweventdetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll (Trojan.Agent.Max) -> Quarantined and deleted successfully. c:\documents and settings\shane mascho\application data\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\WINDOWS\system32\msjet404.dll (Trojan.FraudPack) -> Quarantined and deleted successfully. c:\WINDOWS\system32\drivers\vbmad7bc.sys (Trojan.Agent) -> Delete on reboot.

I'm currently in normal mode. Should I reboot the computer and try again?

Found "(cmz vmkd) Virtual Bus" under System Devices and disabled. Tried running ComboFix but it still shuts down after the small loading screen.

I tried both Fixboot, rebooted the system and ran rkill. Still got svchost.exe. Tried again with FIXMBR and got the same result. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Rkill was run on 01/02/2011 at 16:46:57. Operating System: Microsoft Windows XP Processes terminated by Rkill or while it was running: \\.\globalroot\Device\svchost.exe\svchost.exe Rkill completed on 01/02/2011 at 16:47:01.

When I got into the Recovery Console it asked me which Windows installation I wanted to go to(?). I was unsure what to do so at first I typed C, didn't work. I figured I should give it another go and types 1. That seemed to work but it asked me for an admin password. I've never had a password on my computer and when reinstalling a couple years ago I never put one on.

Yes, I was able to get into the recovery console. But once in I have no idea what I'm doing. Never used it before.

Good news! I was indeed able to boot off of the USB DVD drive.

I found a Windows XP CD to use but it will not run in my regular CD drive only my USB dvd drive, will that be ok? Also, I ran rkill then ComboFix directly after and ComboFix ran as it did before.

My Windows XP CD disappeared years ago, if it would work I can get a hold of my brother's Vista CD. RootRepeal scanned without any issues and here's the log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/12/31 08:54 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF2986000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7B6E000 Size: 8192 File Visible: No Signed: - Status: - Name: PCI_PNP6752 Image Path: \Driver\PCI_PNP6752 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB8598000 Size: 49152 File Visible: No Signed: - Status: - Name: spcb.sys Image Path: spcb.sys Address: 0xF73DB000 Size: 1048576 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: vbmad7bc.SYS Image Path: C:\WINDOWS\System32\Drivers\vbmad7bc.SYS Address: 0x864D7000 Size: 38016 File Visible: - Signed: - Status: Hidden from the Windows API! Hidden/Locked Files ------------------- Path: c:\program files\cabal online (us)\data\language\english\cabal_msg.enc Status: Size mismatch (API: 344732, Raw: 343680) Path: c:\program files\cabal online (us)\data\language\english\caz_msg.enc Status: Size mismatch (API: 1776, Raw: 1757) Path: c:\program files\cabal online (us)\data\language\english\cont2_msg.enc Status: Size mismatch (API: 3392, Raw: 3359) Path: c:\program files\cabal online (us)\data\language\english\keymap_msg.enc Status: Size mismatch (API: 1906, Raw: 1885) Path: c:\program files\cabal online (us)\data\language\english\msg.enc Status: Size mismatch (API: 53466, Raw: 53174) Path: c:\program files\cabal online (us)\data\language\english\ui.dts Status: Size mismatch (API: 45796, Raw: 45818) Path: c:\program files\cabal online (us)\data\monster\dx3\dx3_reaperboss.ebm Status: Size mismatch (API: 2906741, Raw: 2906738) Path: c:\program files\cabal online (us)\data\monster\dx4\dx4_dragonboss.ebm Status: Size mismatch (API: 2790840, Raw: 2790836) Path: c:\program files\cabal online (us)\data\monster\dx4\dx4_dragonboss_sleep.ebm Status: Size mismatch (API: 1691819, Raw: 1691816) Path: c:\program files\cabal online (us)\data\monster\dx4\dx4_firegate.ebm Status: Size mismatch (API: 23010, Raw: 23031) Path: c:\program files\cabal online (us)\data\object\character\man_pshop02.ebm Status: Size mismatch (API: 385170, Raw: 385166) Path: c:\program files\cabal online (us)\data\object\character\woman_pshop02.ebm Status: Size mismatch (API: 391456, Raw: 391452) Path: c:\program files\cabal online (us)\data\ui\icon\social_64.dds Status: Size mismatch (API: 16512, Raw: 6528) Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_247.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_248.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_249.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_250.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_251.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_252.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_253.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_254.dds Status: Visible to the Windows API, but not on disk. Path: C:\Program Files\CABAL Online (US)\Data\UI\Icon\social_67.dds Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Shane Mascho\Local Settings\Apps\2.0\XLQVHZMJ.WXR\KAVWNBDV.O0V\manifests\clickonce_bootstrap.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\Shane Mascho\Local Settings\Apps\2.0\XLQVHZMJ.WXR\KAVWNBDV.O0V\manifests\clickonce_bootstrap.exe.manifest Status: Locked to the Windows API! Path: C:\Documents and Settings\Shane Mascho\Local Settings\Apps\2.0\XLQVHZMJ.WXR\KAVWNBDV.O0V\manifests\InstallIQ.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\Shane Mascho\Local Settings\Apps\2.0\XLQVHZMJ.WXR\KAVWNBDV.O0V\manifests\InstallIQ.exe.manifest Status: Locked to the Windows API! SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "spcb.sys" at address 0xf73dc0e0 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spcb.sys" at address 0xf73faca2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spcb.sys" at address 0xf73fb030 #: 119 Function Name: NtOpenKey Status: Hooked by "spcb.sys" at address 0xf73dc0c0 #: 160 Function Name: NtQueryKey Status: Hooked by "spcb.sys" at address 0xf73fb108 #: 177 Function Name: NtQueryValueKey Status: Hooked by "spcb.sys" at address 0xf73faf88 #: 247 Function Name: NtSetValueKey Status: Hooked by "spcb.sys" at address 0xf73fb19a Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x8676c1f8 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP] Process: System Address: 0x86149500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_CREATE] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_CLOSE] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_READ] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_WRITE] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_SET_INFORMATION] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_CLEANUP] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: Udfs?-????????ocumen, IRP_MJ_PNP] Process: System Address: 0x85dc7500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_READ] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP] Process: System Address: 0x862da500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x8649d1f8 Size: 121 Object: Hidden Code [Driver: aujxex40????Cdrom???????, IRP_MJ_CREATE] Process: System Address: 0x8640d1f8 Size: 121 Object: Hidden Code [Driver: aujxex40????Cdrom???????, IRP_MJ_CLOSE] Process: System Address: 0x8640d1f8 Size: 121 Object: Hidden Code [Driver: aujxex40????Cdrom???????, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8640d1f8 Size: 121 Object: Hidden Code [Driver: aujxex40????Cdrom???????, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8640d1f8 Size: 121 Object: Hidden Code [Driver: aujxex40????Cdrom???????, IRP_MJ_POWER] Process: System Address: 0x8640d1f8 Size: 121 Object: Hidden Code [Driver: aujxex40????Cdrom???????, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8640d1f8 Size: 121 Object: Hidden Code [Driver: aujxex40????Cdrom???????, IRP_MJ_PNP] Process: System Address: 0x8640d1f8 Size: 121 Object: Hidden Code [Driver: Hard, IRP_MJ_CREATE] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_CLOSE] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_READ] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_WRITE] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_SET_INFORMATION] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_QUERY_EA] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_SET_EA] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_SHUTDOWN] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_CLEANUP] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_SET_SECURITY] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_POWER] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_SET_QUOTA] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: Hard, IRP_MJ_PNP] Process: System Address: 0x864d9109 Size: 3160 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x864a3500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x864a3500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x864a3500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x864a3500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x864a3500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x864a3500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x864a3500 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x86569500 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x86569500 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86569500 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86569500 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x86569500 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86569500 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x86569500 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x867db1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x862ae500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x862ae500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x862ae500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x862ae500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x862ae500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x862ae500 Size: 121 Object: Hidden Code [Driver: as0ybu3w?????, IRP_MJ_CREATE] Process: System Address: 0x8652b1f8 Size: 121 Object: Hidden Code [Driver: as0ybu3w?????, IRP_MJ_CLOSE] Process: System Address: 0x8652b1f8 Size: 121 Object: Hidden Code [Driver: as0ybu3w?????, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8652b1f8 Size: 121 Object: Hidden Code [Driver: as0ybu3w?????, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8652b1f8 Size: 121 Object: Hidden Code [Driver: as0ybu3w?????, IRP_MJ_POWER] Process: System Address: 0x8652b1f8 Size: 121 Object: Hidden Code [Driver: as0ybu3w?????, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8652b1f8 Size: 121 Object: Hidden Code [Driver: as0ybu3w?????, IRP_MJ_PNP] Process: System Address: 0x8652b1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x862b0500 Size: 121 Object: Hidden Code [Driver: Cdfs?????????????

I followed your instructions and here's what happened: Ran rkill.scr, installed MBAM, updated and clicked Quick Scan, 20-30 seconds later MBAM closed. I went and ran rkill.scr again both times I get the same result. Here's the log: This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Rkill was run on 12/30/2010 at 19:09:10. Operating System: Microsoft Windows XP Processes terminated by Rkill or while it was running: \\.\globalroot\Device\svchost.exe\svchost.exe Rkill completed on 12/30/2010 at 19:09:13.

I did as you said and tried in both Safe Mode and Safe Mode with Networking. As soon as I hit the scan button the program closes instantly and if I try to reopen I get a message saying "Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item.". This also happens when I try to run MBAM.