# Google search page hijacked



## triton12 (Feb 19, 2010)

Please give me a hand. My Firefox google page has been hijacked. Sometimes when I type in searches, and choose any link, it takes me to some random search engine or something random that is for sell. For instance I typed in Amway Arena on the google page and a list of items come up on google. But when I click on the link (say Wikapedia) it then takes me to another search engine or some random site. Please help, thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:46 PM, on 5/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://northernvirginia.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 8651 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *triton12* 

Welcome.

Please follow these steps:

Download *TFC by OldTimer* to your desktop

 Please double-click *TFC.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
It *will close all programs* when run, so make sure you have *saved all your work* before you begin.
Click the *Start* button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. *Let it run uninterrupted to completion*.
Once it's finished it should *reboot your machine*. If it does not, please *manually reboot the machine* yourself to ensure a complete clean.
Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
OTL should now start. Change the following settings
Change *Drivers* to *All*
Change *Standard Registry* to *All*
Under *File Scans*, change *File age* to *30*

Under the Custom Scan box paste this in

*netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav 
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
*

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt* (first run only). These are saved in the same location as OTL.
Please post the contents of these files in your next reply.

Download the *GMER Rootkit Scanner*. Unzip it to your Desktop.

*Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.*

 Double click GMER.exe.








 If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on *NO*, then use the following settings for a more complete scan..
 In the right panel, you will see several boxes that have been checked. Ensure the following are *UNCHECKED* ...
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\)
 Show All (don't miss this one)

_Click the image to enlarge it_

 Then click the Scan button & wait for it to finish.
 Once done click on the *[Save..]* button, and in the File name area, type in *"ark.txt"* 
Save the log where you can easily find it, such as your desktop.
_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _
Please copy and paste the report into your Post.


----------



## triton12 (Feb 19, 2010)

Thanks, attached are the results of the OTL, the two text files you requested. I had a problem with the GMER rootscanner. It would open and start running, but then I would get a blue screen saying that the computer shutdown to prevent damage and something about a non-page error. Please let me know what you would like for me to do next.

Thanks


----------



## JSntgRvr (Jul 1, 2003)

Hi, *triton12* 

Lets try Combofix.

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
Install the Recovery Console if prompted.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.


----------



## triton12 (Feb 19, 2010)

Hi,

I tried Combofix twice and got a blue screen both times. I did it a second time because I realized the first time that I did have a windows explorer window open. But that didn't help after I closed it. I disabled the anti-virus as instructed. It would start up, create a restore point, start scanning and then about 2 minutes in I get the blue screen. This time is said something about a "pool". Let me know what you would like for me to do next.

Thanks


----------



## JSntgRvr (Jul 1, 2003)

Remove your current copy of Combofix and follow these instructions.

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop***

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

During the download, rename *Combofix* to *MyPoppy*:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combo-Fix.exe* & follow the prompts.
Install the Recovery Console if prompted.
When finished, it will produce a report for you. 
Please post the *"C:\Combo-Fix.txt" *.
***Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall***

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.


----------



## triton12 (Feb 19, 2010)

Hi,

I still got the same error. I deleted the combofix as you requested and redownloaded. When I deleted I just simple moved the icon into the recycle bin. Should I have did something else? When I downloaded the new copy I followed instructions and renamed it MyPoppy during the download.

Please let me know what you would like to try next.

Thanks


----------



## JSntgRvr (Jul 1, 2003)

Download the enclosed folder to your desktop. Extract its contents and click on the Check.bat file. Post the resulting *Log.txt*.


Download RootRepeal from the following location and save it to your desktop.
*Zip Mirrors (Recommended)*
Primary Mirror
Secondary Mirror
Secondary Mirror

*Rar Mirrors* - Only if you know what a RAR is and can extract it.
Primary Mirror
Secondary Mirror
Secondary Mirror


Extract RootRepeal.exe from the archive.
Open







on your desktop.
Click the







tab.
Click the







button.
Check all seven boxes:








Push Ok
Check the box for your main system drive (Usually C, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the







button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


----------



## triton12 (Feb 19, 2010)

Thanks, here is the text from the attached file, that you had me run. I will work on the next step now.

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\ACE Compression Software

HKEY_LOCAL_MACHINE\SOFTWARE\Adobe

HKEY_LOCAL_MACHINE\SOFTWARE\Ahead

HKEY_LOCAL_MACHINE\SOFTWARE\America Online

HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.

HKEY_LOCAL_MACHINE\SOFTWARE\Apple Inc.

HKEY_LOCAL_MACHINE\SOFTWARE\Audible

HKEY_LOCAL_MACHINE\SOFTWARE\AviSynth

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft

HKEY_LOCAL_MACHINE\SOFTWARE\Azureus

HKEY_LOCAL_MACHINE\SOFTWARE\BillP Studios

HKEY_LOCAL_MACHINE\SOFTWARE\Bradbury

HKEY_LOCAL_MACHINE\SOFTWARE\Broadcom

HKEY_LOCAL_MACHINE\SOFTWARE\BroadJump

HKEY_LOCAL_MACHINE\SOFTWARE\BVRP Software

HKEY_LOCAL_MACHINE\SOFTWARE\BVRP Software, Inc

HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y

HKEY_LOCAL_MACHINE\SOFTWARE\Canon

HKEY_LOCAL_MACHINE\SOFTWARE\CCleaner

HKEY_LOCAL_MACHINE\SOFTWARE\Classes

HKEY_LOCAL_MACHINE\SOFTWARE\Clients

HKEY_LOCAL_MACHINE\SOFTWARE\Codec tweak Tool

HKEY_LOCAL_MACHINE\SOFTWARE\Conexant

HKEY_LOCAL_MACHINE\SOFTWARE\Corel

HKEY_LOCAL_MACHINE\SOFTWARE\CoreSecurity

HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech

HKEY_LOCAL_MACHINE\SOFTWARE\Crystal Decisions

HKEY_LOCAL_MACHINE\SOFTWARE\CXT

HKEY_LOCAL_MACHINE\SOFTWARE\CyberLink

HKEY_LOCAL_MACHINE\SOFTWARE\Debug

HKEY_LOCAL_MACHINE\SOFTWARE\Deckard

HKEY_LOCAL_MACHINE\SOFTWARE\Dell

HKEY_LOCAL_MACHINE\SOFTWARE\Dell Computer Corporation

HKEY_LOCAL_MACHINE\SOFTWARE\Dell Computers

HKEY_LOCAL_MACHINE\SOFTWARE\DIOC

HKEY_LOCAL_MACHINE\SOFTWARE\DivX

HKEY_LOCAL_MACHINE\SOFTWARE\DivXNetworks

HKEY_LOCAL_MACHINE\SOFTWARE\ej-technologies

HKEY_LOCAL_MACHINE\SOFTWARE\Eset

HKEY_LOCAL_MACHINE\SOFTWARE\FES

HKEY_LOCAL_MACHINE\SOFTWARE\Gabest

HKEY_LOCAL_MACHINE\SOFTWARE\GEAR Software

HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus

HKEY_LOCAL_MACHINE\SOFTWARE\GNU

HKEY_LOCAL_MACHINE\SOFTWARE\Google

HKEY_LOCAL_MACHINE\SOFTWARE\GTek

HKEY_LOCAL_MACHINE\SOFTWARE\HaaliMkx

HKEY_LOCAL_MACHINE\SOFTWARE\InstalledOptions

HKEY_LOCAL_MACHINE\SOFTWARE\InstallShield

HKEY_LOCAL_MACHINE\SOFTWARE\Intel

HKEY_LOCAL_MACHINE\SOFTWARE\Intel, Inc.

HKEY_LOCAL_MACHINE\SOFTWARE\InterVideo

HKEY_LOCAL_MACHINE\SOFTWARE\Jasc

HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft

HKEY_LOCAL_MACHINE\SOFTWARE\JreMetrics

HKEY_LOCAL_MACHINE\SOFTWARE\KLCodecPack

HKEY_LOCAL_MACHINE\SOFTWARE\knight

HKEY_LOCAL_MACHINE\SOFTWARE\Kodak

HKEY_LOCAL_MACHINE\SOFTWARE\L&H

HKEY_LOCAL_MACHINE\SOFTWARE\Lake

HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft

HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia

HKEY_LOCAL_MACHINE\SOFTWARE\Magnet

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com

HKEY_LOCAL_MACHINE\SOFTWARE\MDC

HKEY_LOCAL_MACHINE\SOFTWARE\MetaStream

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla

HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org

HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins

HKEY_LOCAL_MACHINE\SOFTWARE\Musicmatch

HKEY_LOCAL_MACHINE\SOFTWARE\MusicMatch, Inc.

HKEY_LOCAL_MACHINE\SOFTWARE\Nero

HKEY_LOCAL_MACHINE\SOFTWARE\Netscape Online

HKEY_LOCAL_MACHINE\SOFTWARE\NOS

HKEY_LOCAL_MACHINE\SOFTWARE\ODBC

HKEY_LOCAL_MACHINE\SOFTWARE\OldTimer Tools

HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software

HKEY_LOCAL_MACHINE\SOFTWARE\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Preview Systems

HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups

HKEY_LOCAL_MACHINE\SOFTWARE\Protexis

HKEY_LOCAL_MACHINE\SOFTWARE\RealNetworks

HKEY_LOCAL_MACHINE\SOFTWARE\RedKawa

HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications

HKEY_LOCAL_MACHINE\SOFTWARE\RichFX

HKEY_LOCAL_MACHINE\SOFTWARE\S3R521

HKEY_LOCAL_MACHINE\SOFTWARE\Safer Networking Limited

HKEY_LOCAL_MACHINE\SOFTWARE\Schlumberger

HKEY_LOCAL_MACHINE\SOFTWARE\Seagate Software

HKEY_LOCAL_MACHINE\SOFTWARE\Secure

HKEY_LOCAL_MACHINE\SOFTWARE\Sigmatel

HKEY_LOCAL_MACHINE\SOFTWARE\SiteAdvisor

HKEY_LOCAL_MACHINE\SOFTWARE\Smith Micro

HKEY_LOCAL_MACHINE\SOFTWARE\Sonic

HKEY_LOCAL_MACHINE\SOFTWARE\SupportSoft

HKEY_LOCAL_MACHINE\SOFTWARE\swearware

HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics

HKEY_LOCAL_MACHINE\SOFTWARE\Tenebril

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

HKEY_LOCAL_MACHINE\SOFTWARE\Valve

HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint

HKEY_LOCAL_MACHINE\SOFTWARE\VSO

HKEY_LOCAL_MACHINE\SOFTWARE\WhatsRunning

HKEY_LOCAL_MACHINE\SOFTWARE\WildTangent

HKEY_LOCAL_MACHINE\SOFTWARE\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status

HKEY_LOCAL_MACHINE\SOFTWARE\Wise Solutions

HKEY_LOCAL_MACHINE\SOFTWARE\Xing Technology Corp.

HKEY_LOCAL_MACHINE\SOFTWARE\Yahoo

HKEY_LOCAL_MACHINE\SOFTWARE\Yahoo! SiteBuilder


----------



## triton12 (Feb 19, 2010)

Attached is the rootrepeal text file.

Thanks


----------



## JSntgRvr (Jul 1, 2003)

First verify that you can logon to the Windows Recovery Console.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download *maxlook*, saving the file to your desktop.
Double click *maxlook.exe* to run it. *Note - you must run it only once!*
Restart the computer and logon to the *Recovery Console.*
Execute the following bolded command at the _x:\windows>_ prompt <--- the red x represents your operating system drive letter, usually C
*batch look.bat*







You will see *1 file copied* many times then return to the _x:\windows>_ prompt.
Type *Exit* to restart your computer then logon in normal mode.
Once in Windows, obtain an Internet Connection. This program must download a tool to check files' signatures.
Then go to Start -> Run, copy and paste the following command in the run Box and Click OK
*"%Userprofile%\Desktop\maxlook.exe" -sig*​
It will produce *looklog.txt* in the C:\ folder.
Please post the results here.


----------



## triton12 (Feb 19, 2010)

When I looked as I thought the Windows Recovery Console was already on my computer. But I did as you instructed and tested it out first. I didn't work. When you first power up the computer you have the option for the Recovery console, so I selected it. But when I do nothing happens I just have a black screen with a blinking bar at the top left. I can't type or do anything. The power is on but the CPU is not running or anything like that. I can still log on to my computer the regular way though. So I didn't continue with the next step. I wanted to see what you thought. Also I don't think I have a XP cd, Dell didn't ship it when I got my computer.

Thanks


----------



## JSntgRvr (Jul 1, 2003)

Ok, we can come back to this shortly. The reason I would like to run Maxlook is to search for a possible infected driver. Lets try this application.

*Please read carefully and follow these steps.* 

Download *TDSSKiller* and save it to your Desktop.
Extract its contents to your desktop and make sure *TDSSKiller.exe* (the contents of the zipped file) is on the Desktop itself, *not* within a folder on the desktop.
Go to Start > Run (Or you can hold down your *Windows key* and press *R*) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press *Ctrl+Shift+Enter*.)

*"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v*

If it says "Hidden service detected" *DO NOT* type anything in. Just press Enter on your keyboard to not do anything to the file.
It may ask you to reboot the computer to complete the process. Allow it to do so.
When it is done, a log file should be created on your C: drive called "*TDSSKiller.txt*" please copy and paste the contents of that file here.


----------



## triton12 (Feb 19, 2010)

Here is the log, looks like it cured something:

23:13:03:515 3368 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
23:13:03:515 3368 ================================================================================
23:13:03:515 3368 SystemInfo:

23:13:03:515 3368 OS Version: 5.1.2600 ServicePack: 3.0
23:13:03:515 3368 Product type: Workstation
23:13:03:515 3368 ComputerName: CHADDRICK
23:13:03:515 3368 UserName: Chaddrick Johnson
23:13:03:515 3368 Windows directory: C:\WINDOWS
23:13:03:515 3368 Processor architecture: Intel x86
23:13:03:515 3368 Number of processors: 2
23:13:03:515 3368 Page size: 0x1000
23:13:03:531 3368 Boot type: Normal boot
23:13:03:531 3368 ================================================================================
23:13:03:546 3368 UnloadDriverW: NtUnloadDriver error 2
23:13:03:546 3368 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
23:13:03:906 3368 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:13:03:906 3368 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:13:03:906 3368 wfopen_ex: Trying to KLMD file open
23:13:03:906 3368 wfopen_ex: File opened ok (Flags 2)
23:13:03:906 3368 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:13:03:906 3368 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:13:03:906 3368 wfopen_ex: Trying to KLMD file open
23:13:03:906 3368 wfopen_ex: File opened ok (Flags 2)
23:13:03:906 3368 KLAVA engine initialized
23:13:04:203 3368 Initialize success
23:13:04:203 3368 
23:13:04:203 3368 Scanning Services ...
23:13:04:796 3368 Raw services enum returned 406 services
23:13:04:843 3368 
23:13:04:843 3368 Scanning Drivers ...
23:13:05:250 3368 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
23:13:05:765 3368 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:13:05:812 3368 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:13:06:000 3368 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
23:13:06:296 3368 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:13:06:328 3368 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
23:13:06:671 3368 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
23:13:06:781 3368 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:13:06:828 3368 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
23:13:06:906 3368 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
23:13:07:078 3368 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
23:13:07:218 3368 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
23:13:07:406 3368 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
23:13:07:578 3368 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
23:13:07:640 3368 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
23:13:07:671 3368 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
23:13:07:984 3368 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
23:13:08:437 3368 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:13:08:468 3368 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
23:13:08:671 3368 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
23:13:08:937 3368 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
23:13:09:250 3368 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:13:09:296 3368 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:13:09:328 3368 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:13:09:375 3368 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:13:09:421 3368 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
23:13:09:609 3368 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:13:09:796 3368 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
23:13:09:937 3368 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:13:09:953 3368 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
23:13:10:109 3368 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:13:10:140 3368 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:13:10:171 3368 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:13:10:234 3368 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
23:13:10:250 3368 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
23:13:10:281 3368 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
23:13:10:312 3368 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
23:13:10:343 3368 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
23:13:10:390 3368 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
23:13:10:593 3368 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:13:10:718 3368 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:13:10:812 3368 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:13:10:859 3368 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:13:10:890 3368 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:13:10:921 3368 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
23:13:10:984 3368 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:13:11:093 3368 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
23:13:11:328 3368 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
23:13:11:546 3368 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
23:13:11:859 3368 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
23:13:11:890 3368 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
23:13:12:140 3368 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:13:12:171 3368 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:13:12:218 3368 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:13:12:250 3368 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:13:12:328 3368 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:13:12:359 3368 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:13:12:406 3368 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:13:12:484 3368 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:13:12:640 3368 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:13:12:671 3368 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:13:12:734 3368 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:13:12:875 3368 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
23:13:13:031 3368 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
23:13:13:109 3368 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
23:13:13:437 3368 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:13:13:468 3368 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
23:13:13:515 3368 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
23:13:13:531 3368 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:13:13:625 3368 ialm (93aa9660aacb82f73d854180afd9817e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
23:13:13:718 3368 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:13:13:828 3368 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
23:13:13:984 3368 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:13:14:015 3368 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:13:14:062 3368 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:13:14:093 3368 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:13:14:156 3368 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:13:14:187 3368 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:13:14:218 3368 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:13:14:265 3368 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:13:14:296 3368 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:13:14:359 3368 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:13:14:468 3368 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:13:14:515 3368 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:13:14:546 3368 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
23:13:14:906 3368 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
23:13:15:109 3368 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
23:13:15:343 3368 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
23:13:15:640 3368 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
23:13:15:859 3368 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
23:13:16:109 3368 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:13:16:156 3368 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:13:16:187 3368 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:13:16:234 3368 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:13:16:296 3368 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
23:13:16:828 3368 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
23:13:17:046 3368 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:13:17:218 3368 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:13:17:531 3368 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:13:17:562 3368 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:13:17:593 3368 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:13:17:625 3368 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:13:17:687 3368 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:13:17:703 3368 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
23:13:17:750 3368 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:13:17:781 3368 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:13:17:796 3368 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:13:17:828 3368 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:13:17:859 3368 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
23:13:17:890 3368 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:13:17:906 3368 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:13:18:093 3368 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
23:13:18:421 3368 NETw4x32 (88100ebdd10309fbd445ef8e42452eae) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
23:13:18:687 3368 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
23:13:18:718 3368 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:13:18:843 3368 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:13:18:875 3368 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:13:18:984 3368 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:13:19:187 3368 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:13:19:203 3368 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:13:19:234 3368 ohci1394 (eb8fc33c3f3086b8579e9bf72a78a526) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
23:13:19:234 3368 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ohci1394.sys. Real md5: eb8fc33c3f3086b8579e9bf72a78a526, Fake md5: ca33832df41afb202ee7aeb05145922f
23:13:19:234 3368 File "C:\WINDOWS\system32\DRIVERS\ohci1394.sys" infected by TDSS rootkit ... 23:13:22:015 3368 Backup copy found, using it..
23:13:22:187 3368 will be cured on next reboot
23:13:22:437 3368 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys
23:13:22:687 3368 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:13:22:750 3368 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:13:22:796 3368 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:13:22:859 3368 pavboot (210a628a0d7b3f45257850efbff27538) C:\WINDOWS\system32\drivers\pavboot.sys
23:13:23:125 3368 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:13:23:171 3368 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:13:23:218 3368 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:13:23:296 3368 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
23:13:23:562 3368 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
23:13:23:734 3368 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
23:13:23:781 3368 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:13:23:812 3368 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:13:23:859 3368 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:13:23:906 3368 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:13:23:921 3368 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
23:13:23:968 3368 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
23:13:24:000 3368 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
23:13:24:031 3368 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
23:13:24:062 3368 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
23:13:24:078 3368 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:13:24:109 3368 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:13:24:140 3368 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:13:24:218 3368 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:13:24:312 3368 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:13:24:343 3368 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:13:24:406 3368 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:13:24:453 3368 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
23:13:24:500 3368 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:13:24:531 3368 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
23:13:24:875 3368 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
23:13:25:359 3368 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
23:13:25:656 3368 s24trans (c26a053e4db47f6cdd8653c83aaf22ee) C:\WINDOWS\system32\DRIVERS\s24trans.sys
23:13:25:875 3368 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
23:13:25:937 3368 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:13:25:984 3368 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:13:26:015 3368 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:13:26:062 3368 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
23:13:26:140 3368 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
23:13:26:156 3368 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:13:26:203 3368 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
23:13:26:218 3368 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
23:13:26:250 3368 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:13:26:312 3368 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:13:26:406 3368 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
23:13:26:468 3368 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
23:13:26:703 3368 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
23:13:26:937 3368 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
23:13:27:265 3368 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:13:27:312 3368 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:13:27:437 3368 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
23:13:27:609 3368 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
23:13:27:875 3368 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
23:13:27:906 3368 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
23:13:28:250 3368 SynTP (35d5b3632e0bcebe27b391157de05996) C:\WINDOWS\system32\DRIVERS\SynTP.sys
23:13:28:484 3368 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:13:28:515 3368 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:13:28:546 3368 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:13:28:593 3368 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:13:28:640 3368 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:13:28:718 3368 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
23:13:28:984 3368 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
23:13:29:187 3368 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
23:13:29:343 3368 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
23:13:29:625 3368 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
23:13:29:781 3368 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
23:13:29:937 3368 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
23:13:30:156 3368 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
23:13:30:312 3368 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
23:13:30:578 3368 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
23:13:30:640 3368 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:13:30:687 3368 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
23:13:30:890 3368 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:13:30:968 3368 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:13:31:359 3368 usbbus (5aadc9297c39aa249cd994acdba19034) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
23:13:31:593 3368 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:13:31:656 3368 UsbDiag (4650ffe04e5922399b0e932319e6b215) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
23:13:32:015 3368 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:13:32:046 3368 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:13:32:078 3368 USBModem (2666fe171e0c2e7085ccd5fe0bac09e3) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
23:13:32:312 3368 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:13:32:375 3368 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:13:32:406 3368 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:13:32:437 3368 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:13:32:468 3368 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:13:32:515 3368 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
23:13:32:546 3368 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:13:32:593 3368 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:13:32:765 3368 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys
23:13:32:937 3368 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:13:32:984 3368 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:13:33:078 3368 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
23:13:33:593 3368 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
23:13:33:656 3368 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
23:13:33:734 3368 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:13:33:765 3368 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:13:33:828 3368 xnacc (7a35352bcdff34d0a6e59d8267b3fcb7) C:\WINDOWS\system32\DRIVERS\xnacc.sys
23:13:34:031 3368 Reboot required for cure complete..
23:13:34:203 3368 Cure on reboot scheduled successfully
23:13:34:203 3368 
23:13:34:203 3368 Completed
23:13:34:203 3368 
23:13:34:203 3368 Results:
23:13:34:203 3368 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:13:34:203 3368 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:13:34:203 3368 
23:13:34:203 3368 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:13:34:203 3368 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:13:34:203 3368 UnloadDriverW: NtUnloadDriver error 1
23:13:34:203 3368 KLMD(ARK) unloaded successfully


----------



## JSntgRvr (Jul 1, 2003)

Are you able now to boot to the *Recovery Console*?


----------



## triton12 (Feb 19, 2010)

I tried it but still no luck. When I used the google search bar today though it appeared okay. I didn't get anything weird. So I think what you did yesterday helped, but I don't know if we got it all. Let me know what you want me to do next.

Thanks


----------



## JSntgRvr (Jul 1, 2003)

Please download ARCDC from Artellos.com.

Double click ARCDC.exe
Follow the dialog until you see 6 options. Please pick: *Windows Home or Professional SP2 & SP3*, as applicable.
You will be prompted with a Terms of Use by Microsoft, please accept.
You will see a few dos screens flash by, this is normal.
Next you will be able to choose to add extra files. Select the Default Files.
The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.

Once you burn this CD, follow the instructions on Post 11.

When booting with this CD you may encounter the following:

Insert the CD and restart the computer. If prompted, select any options required to boot from the CD. You will be prompted with the following options:

A. To setup Windows XP, press Enter.
B. To repair Windows XP installation using recovery console, press R.

Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

You will be presented with the following:



> Microsoft Windows(R) Recovery Console
> The Recovery Console provides system repair and recovery functionality.
> Type EXIT to quit the Recovery Console and restart the computer.
> 
> ...


Press the number assigned to the installation you need access to on your keyboard and hit Enter.

In this case and if only the above is displayed is 1.

This should give you the Recovery Console *C:\Windows* prompt.


----------



## triton12 (Feb 19, 2010)

Thanks, below is the looklog report:


```
Run from C:\Documents and Settings\Chaddrick Johnson\Desktop\maxlook.exe on Thu 05/20/2010 at 23:44:28.03

--------- maxlook unsigned files ---------

c:\windows\maxdriver\APPDRV.SYS:
    Verified:    Unsigned
    File date:    5:50 PM 8/12/2005
    Publisher:    Dell Inc
    Description:    App Support Driver
    Product:    Application Driver
    Version:    1, 0, 1, 1
    File version:    1, 0, 1, 1
c:\windows\maxdriver\asctrm.sys:
    Verified:    Unsigned
    File date:    2:55 PM 5/14/2006
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\maxdriver\drvmcdb.sys:
    Verified:    Unsigned
    File date:    3:22 AM 4/22/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver
    Product:    n/a
    Version:    n/a
    File version:    3.22.13a
c:\windows\maxdriver\drvnddm.sys:
    Verified:    Unsigned
    File date:    2:56 AM 4/21/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver Manager
    Product:    n/a
    Version:    n/a
    File version:    2.56.53a
c:\windows\maxdriver\omci.sys:
    Verified:    Unsigned
    File date:    5:46 PM 2/13/2004
    Publisher:    Dell Inc
    Description:    OMCI Device Driver
    Product:    OMCI Driver
    Version:    7, 1, 382, 0
    File version:    7, 1, 382, 0
c:\windows\maxdriver\pcouffin.sys:
    Verified:    Unsigned
    File date:    7:53 PM 7/21/2007
    Publisher:    VSO Software
    Description:    low level access layer for CD/DVD/BD devices
    Product:    Patin couffin engine
    Version:    1.37
    File version:    1.37
c:\windows\maxdriver\sscdbhk5.sys:
    Verified:    Unsigned
    File date:    10:37 AM 5/13/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    1.10.90a
c:\windows\maxdriver\ssrtln.sys:
    Verified:    Unsigned
    File date:    10:37 AM 5/13/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    1.10.90a

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\APPDRV.SYS:
    Verified:    Unsigned
    File date:    5:50 PM 8/12/2005
    Publisher:    Dell Inc
    Description:    App Support Driver
    Product:    Application Driver
    Version:    1, 0, 1, 1
    File version:    1, 0, 1, 1
c:\windows\system32\drivers\asctrm.sys:
    Verified:    Unsigned
    File date:    2:55 PM 5/14/2006
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\system32\drivers\drvmcdb.sys:
    Verified:    Unsigned
    File date:    3:22 AM 4/22/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver
    Product:    n/a
    Version:    n/a
    File version:    3.22.13a
c:\windows\system32\drivers\drvnddm.sys:
    Verified:    Unsigned
    File date:    2:56 AM 4/21/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver Manager
    Product:    n/a
    Version:    n/a
    File version:    2.56.53a
c:\windows\system32\drivers\omci.sys:
    Verified:    Unsigned
    File date:    5:46 PM 2/13/2004
    Publisher:    Dell Inc
    Description:    OMCI Device Driver
    Product:    OMCI Driver
    Version:    7, 1, 382, 0
    File version:    7, 1, 382, 0
c:\windows\system32\drivers\pcouffin.sys:
    Verified:    Unsigned
    File date:    7:53 PM 7/21/2007
    Publisher:    VSO Software
    Description:    low level access layer for CD/DVD/BD devices
    Product:    Patin couffin engine
    Version:    1.37
    File version:    1.37
c:\windows\system32\drivers\sscdbhk5.sys:
    Verified:    Unsigned
    File date:    10:37 AM 5/13/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    1.10.90a
c:\windows\system32\drivers\ssrtln.sys:
    Verified:    Unsigned
    File date:    10:37 AM 5/13/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    1.10.90a
```


----------



## JSntgRvr (Jul 1, 2003)

Sorry for the delay. My broadband is down.

That log looks clear. *How is it doing?*


----------



## triton12 (Feb 19, 2010)

No problem. Thanks

Everything seems to be running fine. I'm not experiencing those problems anymore. Let me know if you want me to do anything else, if not then I think we are clear!

Thanks again


----------



## JSntgRvr (Jul 1, 2003)

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

*Follow these steps to uninstall Combofix.*

 Rename Combofix to Uninstall and click on it. That should remove the application.
Launch *OTL* and click on the *Cleanup* button. Follow the prompts.

Manually remove any tool left.

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

*Windows Updates* - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read * this article * by *Miekiemoes*.

Best wishes!


----------



## triton12 (Feb 19, 2010)

Okay all done, everything looks good. Shall I close the thread?

Thanks again, your were great and patient with me.


----------



## JSntgRvr (Jul 1, 2003)

Marked "Solved". Be safe


----------

