# Trojan virus-c:\windows\system32\drivers\cdrom.sys



## ReverendLisa

I have been battling a virus all day. The only piece that is remaining is in the c:\windows\system32\drivers\cdrom.sys

I have done a stupid thing. I was hoping for more virus support and upgraded from the free version of AVG to the version 9.0. And of course it wants me to reboot.

I am terrified to reboot for fear of extracting the virus. 

I am not the computer savvy and would really like to save my hard drive.

Please help?

Reverend Lisa


----------



## Mumbodog

Install, update, full scan, using MBAM

http://download.cnet.com/Malwarebyt...4572.html?part=dl-10804572&subj=dl&tag=button

.


----------



## ReverendLisa

Thank you for the advice, I have downloaded this software and it is running but of course it wants *more money *in order to correct the viruses. My big question is whether or not it safe to reboot, then I can use the software I have already purchased. But then there is the chance that it can not remove the virus from the system32 file because it is a system file. So advice regarding this would be helpful.


----------



## Mumbodog

MBAM is free, you sure you downloaded the right one?


Not all files in system 32 are legit system files, that is just where malware hides.

Cannot say if it is safe to reboot or not, but you have to do it sooner or later.

.


----------



## ReverendLisa

LOL ! if there is a way to down load the wrong one I can find it ! But so far it is the best 24.99 I ever spent.

What you and mbam have taught me is that viruses are very tricky, they can make fake files in my system32, and look like legit files. AVG will not delete anything from the system 32. 

we are on the 7th scan, and yes I did finally reboot. the world did not end.
I have mbam and avg running so maybe we are out of the woods. I will know more in a bit.

Thanks Reverend Lisa


----------



## ReverendLisa

Back to square 1, 

"Object name";"C:\WINDOWS\system32\drivers\cdrom.sys"
"Detection name";"Virus identified Packed.Protector.C"
"Object type";"file"
"SDK Type";"Core"
"Result";"Object is white-listed (critical/system file that should not be removed)"
"Action history";""


AVG is telling me this, and MBAM is not finding it. So now what do I do?

Thanks Reverend lisa


----------



## ReverendLisa

I have just completed a scan with MBAM, 2 things happened.

1. MBAM did not see the virus in C:\WINDOWS\system32\drivers\cdrom.sys
2. The second MBAM was scanning C:\WINDOWS\system32\drivers\cdrom.sys, AVG identified the file as a threat and flagged it.

So right now I am unsure how to proceed. HELP !

Reverend Lisa


----------



## mtzlplex

Just a thought here, why don`t you try an online virus scanner(it is free), then you can get a so called second opinion to see if the supposed threat is indeed that. The one I use periodically is eset online scanner, it is "free", and is found here: http://www.eset.com/onlinescan/


----------



## Mumbodog

What OS is it, and what service pack level?

The cdrom.sys should be quarantined by AVG, if not let it quarantine the file.

Then we can find a clean file to replace it.

.


----------



## ReverendLisa

I am operating windows xp service pack 2 I believe, but I have all the updates since then.

AVG did not offer to quarantine the file, but I will rerun the scan and see if I overlooked the options


----------



## ReverendLisa

look since I ran the checks this morning several other trojan horse things have appeared? I will try to copy the logs to them here in a bit. This morning the only thing that was left was the one in cdrom.sys.


----------



## Mumbodog

> look since I ran the checks this morning several other trojan horse things have appeared?


You better use the "report" button and ask a moderator to move this thread to the Hijack board. Disconnect the PC from the internet until you are told to do otherwise.

.


----------



## ReverendLisa

Thanks for being there for me, I am very scared to loose this hard drive !

I just ran the last scan with AVG, it identified the following:

"C:\WINDOWS\system32\drivers\cdrom.sys";"Virus identified Packed.Protector.C";"Object is white-listed (critical/system file that should not be removed)"
"C:\WINDOWS\system32\bnsr.exe (3216)";"Trojan horse SHeur2.CHPZ";"Reboot is required to finish the action"
"C:\WINDOWS\system32\bnsr.exe";"Trojan horse SHeur2.CHPZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\bnsr.exe";"Trojan horse SHeur2.CHPZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\bnsr.exe";"Trojan horse SHeur2.CHPZ";"Moved to Virus Vault"

I had to reboot to clear the above, and the trojan horse thingy from this morning is still there.

before I could reboot the computer began to crash with a System 32 error, before I could print screen it was gone, AVG must have put up a good fight.

The computer did what they called a loop 3 times then I started it in safe mode when given the opportunity. it gave me a blue screen of death and went down again. Then by some miracle it restarted. and I am here to tell you that the Darn system32/driver/cdrom.sys is back it must be accessed during the boot up.

So thank you friend I am now hitting the report button.


----------



## dvk01

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *


----------



## ReverendLisa

ComboFix 10-01-23.06 - lisa 01/24/2010 8:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -8:00]
Running from: c:\documents and settings\lisa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\Common
c:\program files\Common\_helper.dll
c:\program files\Common\_helper.sig
c:\windows\system32\tmp41.tmp
c:\windows\system32\WORK.DAT

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected 
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_ZWANGISEARCH_SERVICE
-------\Legacy_ZWANGISRCH_SERVICE
-------\Service_MyWebSearchService
-------\Service_ZwangiSearch Service
-------\Service_ZwangiSrch Service

((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-23 17:44 . 2010-01-23 01:16 356616 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-01-23 17:44 . 2010-01-23 01:15 161672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-01-23 17:44 . 2010-01-23 01:16 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-01-23 17:44 . 2010-01-23 01:16 12464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrsstx.dll
2010-01-23 17:44 . 2010-01-23 01:15 502040 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrsx.exe
2010-01-23 17:36 . 2010-01-23 01:15 875288 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-01-23 17:36 . 2010-01-23 01:15 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-01-23 17:36 . 2010-01-23 01:15 1656088 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-01-23 17:36 . 2010-01-23 01:15 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-01-23 03:25 . 2010-01-23 03:25 -------- d-----w- c:\documents and settings\lisa\Application Data\Malwarebytes
2010-01-23 03:25 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 03:25 . 2010-01-23 03:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 03:25 . 2010-01-23 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-23 03:25 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-23 01:26 . 2010-01-12 21:17 79872 ----a-w- c:\documents and settings\lisa\Application Data\Mozilla\Firefox\Profiles\e0w33ctb.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2010-01-23 01:26 . 2010-01-12 21:17 33280 ----a-w- c:\documents and settings\lisa\Application Data\Mozilla\Firefox\Profiles\e0w33ctb.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINCE\components\WeaveCrypto.dll
2010-01-23 01:18 . 2010-01-23 01:18 -------- d-----w- c:\documents and settings\lisa\Local Settings\Application Data\AVG Security Toolbar
2010-01-23 01:16 . 2010-01-23 15:17 -------- d-----w- C:\$AVG
2010-01-23 01:16 . 2010-01-23 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-23 01:15 . 2010-01-23 17:43 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-23 01:15 . 2010-01-24 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 17:49 . 2010-01-22 17:54 -------- d-----w- c:\documents and settings\lisa\Application Data\VoxOx2
2010-01-22 17:48 . 2010-01-22 22:59 -------- d-----w- c:\program files\VoxOx
2010-01-18 03:13 . 2010-01-18 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-18 03:13 . 2010-01-18 03:13 -------- d-----w- c:\documents and settings\lisa\Application Data\Office Genuine Advantage
2010-01-11 14:19 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 16:08 . 2010-01-10 16:08 -------- d-----w- c:\program files\Classic Menu for Office
2009-12-29 06:11 . 2009-12-29 06:11 -------- d-----w- c:\windows\SQL9_KB970892_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 07:11 . 2009-08-11 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ZwangiSearch
2010-01-24 03:24 . 2009-04-05 04:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-23 18:53 . 2009-08-11 20:15 -------- d-----w- c:\program files\ZwangiSearch
2010-01-23 17:43 . 2009-03-14 17:00 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-23 17:43 . 2009-03-14 17:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-23 17:43 . 2007-09-29 05:02 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-23 04:38 . 2009-11-08 18:07 -------- d-----w- c:\program files\ZwangiSrch
2010-01-23 04:38 . 2009-11-08 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZwangiSrch
2010-01-23 01:16 . 2009-03-14 17:00 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-23 01:15 . 2009-03-14 17:00 -------- d-----w- c:\program files\AVG
2010-01-22 20:18 . 2009-12-11 23:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-18 02:54 . 2009-12-12 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-06 11:18 . 2008-09-02 01:46 -------- d-----w- c:\documents and settings\lisa\Application Data\Azureus
2010-01-03 02:47 . 2007-09-29 03:56 87936 ----a-w- c:\documents and settings\lisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 06:17 . 2009-12-15 05:55 -------- d-----w- c:\program files\Microsoft Works
2009-12-29 06:12 . 2009-12-15 06:32 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-24 07:40 . 2009-12-24 07:40 -------- d-----w- c:\program files\LG Electronics
2009-12-24 07:40 . 2007-09-28 05:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-22 19:01 . 2009-12-22 19:01 -------- d-----w- c:\program files\MSXML 6.0
2009-12-22 18:56 . 2008-09-02 01:45 -------- d-----w- c:\program files\Vuze
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 17:21 . 2009-12-19 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-19 18:31 . 2009-12-13 19:30 -------- d-----w- c:\program files\ATI
2009-12-19 18:31 . 2008-06-03 01:35 -------- d-----w- c:\program files\ATI Technologies
2009-12-19 16:55 . 2009-12-19 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-18 19:27 . 2009-12-18 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-18 18:59 . 2009-12-18 18:39 6516755 ----a-w- c:\documents and settings\lisa\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2009-12-18 18:59 . 2009-12-18 18:39 4141117 ----a-w- c:\documents and settings\lisa\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2009-12-18 18:57 . 2009-03-20 03:52 10686001 ----a-w- c:\documents and settings\lisa\Application Data\Azureus\plugins\azump\mplayer.exe
2009-12-18 18:40 . 2009-12-18 18:40 15884 ----a-w- c:\documents and settings\lisa\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2009-12-18 18:40 . 2009-12-18 18:40 102400 ----a-w- c:\documents and settings\lisa\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2009-12-17 20:37 . 2009-12-17 20:36 -------- d-----w- c:\program files\iTunes
2009-12-17 20:36 . 2009-12-17 20:36 -------- d-----w- c:\program files\iPod
2009-12-17 20:36 . 2009-09-11 01:41 -------- d-----w- c:\program files\Common Files\Apple
2009-12-17 20:36 . 2008-01-17 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-17 20:33 . 2008-01-17 04:03 -------- d-----w- c:\program files\QuickTime Alternative
2009-12-17 20:17 . 2009-12-17 20:17 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-15 06:41 . 2009-12-15 06:40 -------- d-----w- c:\program files\Microsoft Small Business
2009-12-15 06:36 . 2009-12-15 05:53 -------- d-----w- c:\program files\Microsoft.NET
2009-12-15 06:29 . 2009-12-14 02:54 -------- d-----w- c:\documents and settings\lisa\Application Data\GetRightToGo
2009-12-14 02:24 . 2009-12-11 18:10 -------- d-----w- c:\program files\iPod(2)
2009-12-14 02:24 . 2009-12-11 18:10 -------- d-----w- c:\program files\iTunes(2)
2009-12-14 02:23 . 2009-12-11 22:11 -------- d-----w- c:\program files\Microsoft Expression
2009-12-14 02:23 . 2009-12-12 19:54 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-14 01:57 . 2008-10-11 01:08 -------- d-----w- c:\documents and settings\lisa\Application Data\OpenOffice.org2
2009-12-12 19:59 . 2009-03-13 03:45 -------- d-----w- c:\program files\MSBuild
2009-12-12 19:57 . 2009-12-12 19:57 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-12-12 19:53 . 2009-12-12 19:53 -------- d-----w- c:\program files\Microsoft Analysis Services
2009-12-12 19:38 . 2009-12-12 16:43 -------- d-----w- c:\documents and settings\lisa\Application Data\Download Manager
2009-12-12 09:08 . 2009-12-12 09:08 824424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-12 03:30 . 2009-12-12 03:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-07 05:44 . 2008-06-02 04:18 -------- d-----w- c:\documents and settings\lisa\Application Data\Creative
2009-12-07 03:57 . 2009-12-07 01:33 -------- d-----w- c:\program files\Avidemux 2.5
2009-12-07 03:16 . 2009-12-07 03:16 12518 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-07 03:11 . 2009-12-07 03:11 -------- d-----w- c:\program files\RADVideo
2009-12-07 02:23 . 2009-12-07 02:23 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-12-07 02:23 . 2009-12-07 02:23 -------- d-----w- c:\program files\TechSmith
2009-12-07 01:45 . 2009-01-31 07:54 -------- d-----w- c:\program files\AVS4YOU
2009-12-07 01:36 . 2009-12-07 01:33 -------- d-----w- c:\documents and settings\lisa\Application Data\avidemux
2009-12-07 00:19 . 2007-11-18 21:02 -------- d-----w- c:\program files\Wondershare
2009-12-06 18:37 . 2009-06-13 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-12-06 18:36 . 2009-12-06 18:34 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-06 18:34 . 2007-12-26 01:30 -------- d-----w- c:\program files\Nero
2009-12-06 18:34 . 2007-12-26 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-06 17:32 . 2007-11-13 14:51 -------- d-----w- c:\documents and settings\lisa\Application Data\ArcSoft
2009-12-06 17:00 . 2009-12-06 16:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-12-06 16:54 . 2008-08-08 17:51 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-12-06 16:52 . 2009-12-06 16:52 -------- d-----w- c:\program files\Kodak
2009-12-06 00:04 . 2009-09-11 01:47 -------- d-----w- c:\documents and settings\lisa\Application Data\Apple Computer
2009-11-25 18:43 . 2007-11-08 17:39 -------- d-----w- c:\documents and settings\lisa\Application Data\AdobeUM
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.


----------



## ReverendLisa

*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-18 20:28 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2009-11-8 29290496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-23 17:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN111 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WPN111 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^lisa^Start Menu^Programs^Startup^LingvoSoft Application Manager 2008.lnk]
path=c:\documents and settings\lisa\Start Menu\Programs\Startup\LingvoSoft Application Manager 2008.lnk
backup=c:\windows\pss\LingvoSoft Application Manager 2008.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^lisa^Start Menu^Programs^Startup^LingvoSoft Talking Dictionary 2008 (English-Armenian).lnk]
path=c:\documents and settings\lisa\Start Menu\Programs\Startup\LingvoSoft Talking Dictionary 2008 (English-Armenian).lnk
backup=c:\windows\pss\LingvoSoft Talking Dictionary 2008 (English-Armenian).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2005-11-30 18:35 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-07-06 21:30 195072 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Armenian NLS Keyboard]
2009-04-05 18:56 787456 ----a-w- c:\program files\Armenian NLS\armnls.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
2002-12-06 23:07 617984 ----a-w- c:\program files\ASUS\Probe\AsusProb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 02:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-23 17:44 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2008-12-31 21:28 3961064 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-01-22 19:13 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 09:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 08:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340]
2005-12-15 20:18 2490368 ----a-w- c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6400]
2003-06-03 10:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I2L1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo RX680 Series]
2007-04-13 14:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICJA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-06-04 07:42 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2003-09-16 04:00 270336 ----a-w- c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionViewPort]
2003-09-16 04:00 364544 ----a-w- c:\program files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ismaagent]
2008-10-18 00:34 590848 ----a-w- c:\program files\ISMA Translator Agent\TAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2004-01-19 18:25 1892864 ----a-w- c:\program files\ASUS\Ai Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 16:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-12-05 09:41 8523776 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-12-05 09:41 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-12-05 09:41 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2006-07-03 04:43 10752 ----a-w- c:\windows\system32\SPIRun.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-05-23 02:36 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-05-30 08:21 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 02:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 22:28 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-29 23:11 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-12-07 02:48 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-07 15:43 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2005-03-15 09:46 196608 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBDetector]
2003-04-01 18:33 53248 ----a-w- c:\usbstorage\USBDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2007-03-01 00:50 180224 ------w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [6/29/2009 7:17 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [6/29/2009 7:17 PM 5248]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/22/2010 5:15 PM 161800]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/14/2009 9:00 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/14/2009 9:00 AM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/23/2010 9:43 AM 285392]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 4:25 PM 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 4:25 PM 36352]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [11/8/2009 8:56 AM 57344]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 4:25 PM 77056]
S2 gupdate1ca077243e2187c;Google Update Service (gupdate1ca077243e2187c);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2009 10:37 PM 133104]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [9/27/2007 9:49 PM 17149]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [11/8/2009 8:56 AM 356434]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [12/23/2009 11:40 PM 19968]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [9/27/2007 9:49 PM 362944]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 06:37]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 06:37]

2010-01-24 c:\windows\Tasks\User_Feed_Synchronization-{14B31B6E-FF91-4251-BFDA-7EBECDC234D7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZKfox000&ptb=MSlz_gRO4LmG93aPsYC64w
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = 
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
DPF: {BE71A78B-77DB-451C-A761-59B37022D544} - hxxp://o.aolcdn.com/pictures/ap/Resources/v2.15/cab/aolpPlugins.10.6.0.8.cab
FF - ProfilePath - c:\documents and settings\lisa\Application Data\Mozilla\Firefox\Profiles\e0w33ctb.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZKfox000&ptb=MSlz_gRO4LmG93aPsYC64w
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=MSlz_gRO4LmG93aPsYC64w&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\lisa\Application Data\Mozilla\Firefox\Profiles\e0w33ctb.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-IntelliPoint - c:\program files\Microsoft IntelliPoint\point32.exe
MSConfigStartUp-Microsoft WinService - c:\windows\system32\cmds.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
AddRemove-{F5223680-993A-11D4-86F6-0001031E5712} - c:\program files\InterVideo\Installer\IVIUninstaller.exe

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87285008]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7892f28
\Driver\ACPI -> ACPI.sys @ 0xf77bdcb8
\Driver\atapi -> 0x87285008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: D-Link DWA-552 XtremeN Desktop Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7644bd4
PacketIndicateHandler -> NDIS.sys @ 0xf7650a21
SendHandler -> NDIS.sys @ 0xf7644d44
Warning: possible MBR rootkit infection !
user & kernel MBR OK 
copy of MBR has been found in sector 2 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3656)
c:\windows\system32\WININET.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Promise\Utility\MsgAgt.exe
c:\program files\Promise\Utility\MsgSvr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-24 08:28:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 16:28

Pre-Run: 331,079,688,192 bytes free
Post-Run: 335,890,362,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8F305BE4BB833A00FD33E4AAC1C4DE2F


----------



## ReverendLisa

Thank you folks here are my results. I posted them it two pieces due to size. You asked if I minded the auto start, I think it might be a problem later. So when we are done, I would like to restore any operational thing that might have changed.

Thanks again so much, today is Sunday so I will not be online until much later. Thanks !

Reverend Lisa

http://www.thereverendlisa.com


----------



## dvk01

reboot & make sure you are in an account with admin privileges not a limited account and do all malware cleaning in an admin account

then

run tdss killer from http://support.kaspersky.com/viruses/solutions?qid=208280684

post back with its log and we can go from there


----------



## ReverendLisa

19:30:00:781 2008 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
19:30:00:781 2008 ================================================================================
19:30:00:781 2008 SystemInfo:

19:30:00:781 2008 OS Version: 5.1.2600 ServicePack: 3.0
19:30:00:781 2008 Product type: Workstation
19:30:00:781 2008 ComputerName: LIVINGROOM
19:30:00:781 2008 UserName: lisa
19:30:00:781 2008 Windows directory: C:\WINDOWS
19:30:00:781 2008 Processor architecture: Intel x86
19:30:00:781 2008 Number of processors: 2
19:30:00:781 2008 Page size: 0x1000
19:30:00:781 2008 Boot type: Normal boot
19:30:00:781 2008 ================================================================================
19:30:00:796 2008 UnloadDriverW: NtUnloadDriver error 2
19:30:00:796 2008 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:30:00:796 2008 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:30:00:843 2008 UtilityInit: KLMD drop and load success
19:30:00:843 2008 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
19:30:00:843 2008 UtilityInit: KLMD open success
19:30:00:843 2008 UtilityInit: Initialize success
19:30:00:843 2008 
19:30:00:843 2008 Scanning Services ...
19:30:00:843 2008 CreateRegParser: Registry parser init started
19:30:00:843 2008 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
19:30:00:843 2008 CreateRegParser: DisableWow64Redirection error
19:30:00:843 2008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:30:00:843 2008 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
19:30:00:843 2008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:30:00:843 2008 wfopen_ex: Trying to KLMD file open
19:30:00:843 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
19:30:00:843 2008 wfopen_ex: File opened ok (Flags 2)
19:30:00:843 2008 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3849B0
19:30:00:843 2008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:30:00:843 2008 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
19:30:00:843 2008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:30:00:843 2008 wfopen_ex: Trying to KLMD file open
19:30:00:843 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
19:30:00:843 2008 wfopen_ex: File opened ok (Flags 2)
19:30:00:843 2008 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384A58
19:30:00:843 2008 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
19:30:00:843 2008 CreateRegParser: EnableWow64Redirection error
19:30:00:843 2008 CreateRegParser: RegParser init completed
19:30:01:171 2008 GetAdvancedServicesInfo: Raw services enum returned 391 services
19:30:01:171 2008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:30:01:171 2008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:30:01:171 2008 
19:30:01:171 2008 Scanning Kernel memory ...
19:30:01:171 2008 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:30:01:171 2008 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8731FF38
19:30:01:171 2008 DetectCureTDL3: KLMD_GetDeviceObjectList returned 7 DevObjects
19:30:01:171 2008 
19:30:01:171 2008 DetectCureTDL3: DEVICE_OBJECT: 86AF3860
19:30:01:171 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86AF3860
19:30:01:171 2008 KLMD_ReadMem: Trying to ReadMemory 0x86AF3860[0x38]
19:30:01:171 2008 DetectCureTDL3: DRIVER_OBJECT: 8731FF38
19:30:01:171 2008 KLMD_ReadMem: Trying to ReadMemory 0x8731FF38[0xA8]
19:30:01:171 2008 KLMD_ReadMem: Trying to ReadMemory 0xE1862650[0x18]
19:30:01:171 2008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:30:01:171 2008 DetectCureTDL3: IrpHandler (0) addr: F7894BB0
19:30:01:171 2008 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (2) addr: F7894BB0
19:30:01:171 2008 DetectCureTDL3: IrpHandler (3) addr: F788ED1F
19:30:01:171 2008 DetectCureTDL3: IrpHandler (4) addr: F788ED1F
19:30:01:171 2008 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (9) addr: F788F2E2
19:30:01:171 2008 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (14) addr: F788F3BB
19:30:01:171 2008 DetectCureTDL3: IrpHandler (15) addr: F7892F28
19:30:01:171 2008 DetectCureTDL3: IrpHandler (16) addr: F788F2E2
19:30:01:171 2008 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (22) addr: F7890C82
19:30:01:171 2008 DetectCureTDL3: IrpHandler (23) addr: F789599E
19:30:01:171 2008 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:30:01:171 2008 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:30:01:171 2008 TDL3_FileDetect: Processing driver: Disk
19:30:01:171 2008 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:30:01:171 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:30:01:218 2008 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:30:01:218 2008 
19:30:01:218 2008 DetectCureTDL3: DEVICE_OBJECT: 870171B0
19:30:01:218 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870171B0
19:30:01:218 2008 KLMD_ReadMem: Trying to ReadMemory 0x870171B0[0x38]
19:30:01:218 2008 DetectCureTDL3: DRIVER_OBJECT: 8731FF38
19:30:01:218 2008 KLMD_ReadMem: Trying to ReadMemory 0x8731FF38[0xA8]
19:30:01:218 2008 KLMD_ReadMem: Trying to ReadMemory 0xE1862650[0x18]
19:30:01:218 2008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:30:01:218 2008 DetectCureTDL3: IrpHandler (0) addr: F7894BB0
19:30:01:218 2008 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (2) addr: F7894BB0
19:30:01:218 2008 DetectCureTDL3: IrpHandler (3) addr: F788ED1F
19:30:01:218 2008 DetectCureTDL3: IrpHandler (4) addr: F788ED1F
19:30:01:218 2008 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (9) addr: F788F2E2
19:30:01:218 2008 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (14) addr: F788F3BB
19:30:01:218 2008 DetectCureTDL3: IrpHandler (15) addr: F7892F28
19:30:01:218 2008 DetectCureTDL3: IrpHandler (16) addr: F788F2E2
19:30:01:218 2008 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (22) addr: F7890C82
19:30:01:218 2008 DetectCureTDL3: IrpHandler (23) addr: F789599E
19:30:01:218 2008 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:30:01:218 2008 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:30:01:218 2008 TDL3_FileDetect: Processing driver: Disk
19:30:01:218 2008 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:30:01:218 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:30:01:234 2008 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:30:01:234 2008 
19:30:01:234 2008 DetectCureTDL3: DEVICE_OBJECT: 870E67D8
19:30:01:234 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870E67D8
19:30:01:234 2008 DetectCureTDL3: DEVICE_OBJECT: 86FE13C0
19:30:01:234 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FE13C0
19:30:01:234 2008 KLMD_ReadMem: Trying to ReadMemory 0x86FE13C0[0x38]
19:30:01:234 2008 DetectCureTDL3: DRIVER_OBJECT: 86FF84B0
19:30:01:234 2008 KLMD_ReadMem: Trying to ReadMemory 0x86FF84B0[0xA8]
19:30:01:234 2008 KLMD_ReadMem: Trying to ReadMemory 0xE1CDFE98[0x1E]
19:30:01:234 2008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:30:01:234 2008 DetectCureTDL3: IrpHandler (0) addr: F7B13218
19:30:01:234 2008 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (2) addr: F7B13218
19:30:01:234 2008 DetectCureTDL3: IrpHandler (3) addr: F7B1323C
19:30:01:234 2008 DetectCureTDL3: IrpHandler (4) addr: F7B1323C
19:30:01:234 2008 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (9) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (14) addr: F7B13180
19:30:01:234 2008 DetectCureTDL3: IrpHandler (15) addr: F7B0E9E6
19:30:01:234 2008 DetectCureTDL3: IrpHandler (16) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (22) addr: F7B125F0
19:30:01:234 2008 DetectCureTDL3: IrpHandler (23) addr: F7B10A6E
19:30:01:234 2008 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:30:01:234 2008 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:30:01:234 2008 KLMD_ReadMem: Trying to ReadMemory 0xF7B0FF26[0x400]
19:30:01:234 2008 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:30:01:234 2008 TDL3_FileDetect: Processing driver: USBSTOR
19:30:01:234 2008 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:30:01:234 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:30:01:250 2008 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:30:01:250 2008 
19:30:01:250 2008 DetectCureTDL3: DEVICE_OBJECT: 870E7030
19:30:01:250 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870E7030
19:30:01:250 2008 DetectCureTDL3: DEVICE_OBJECT: 86FD7C10
19:30:01:250 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FD7C10
19:30:01:250 2008 KLMD_ReadMem: Trying to ReadMemory 0x86FD7C10[0x38]
19:30:01:250 2008 DetectCureTDL3: DRIVER_OBJECT: 86FF84B0
19:30:01:250 2008 KLMD_ReadMem: Trying to ReadMemory 0x86FF84B0[0xA8]
19:30:01:250 2008 KLMD_ReadMem: Trying to ReadMemory 0xE1CDFE98[0x1E]
19:30:01:250 2008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:30:01:250 2008 DetectCureTDL3: IrpHandler (0) addr: F7B13218
19:30:01:250 2008 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (2) addr: F7B13218
19:30:01:250 2008 DetectCureTDL3: IrpHandler (3) addr: F7B1323C
19:30:01:250 2008 DetectCureTDL3: IrpHandler (4) addr: F7B1323C
19:30:01:250 2008 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (9) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (14) addr: F7B13180
19:30:01:250 2008 DetectCureTDL3: IrpHandler (15) addr: F7B0E9E6
19:30:01:250 2008 DetectCureTDL3: IrpHandler (16) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (22) addr: F7B125F0
19:30:01:250 2008 DetectCureTDL3: IrpHandler (23) addr: F7B10A6E
19:30:01:250 2008 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:30:01:250 2008 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:30:01:250 2008 KLMD_ReadMem: Trying to ReadMemory 0xF7B0FF26[0x400]
19:30:01:250 2008 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:30:01:250 2008 TDL3_FileDetect: Processing driver: USBSTOR
19:30:01:250 2008 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:30:01:250 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:30:01:265 2008 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:30:01:265 2008 
19:30:01:265 2008 DetectCureTDL3: DEVICE_OBJECT: 87367C68
19:30:01:265 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87367C68
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0x87367C68[0x38]
19:30:01:265 2008 DetectCureTDL3: DRIVER_OBJECT: 8731FF38
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0x8731FF38[0xA8]
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0xE1862650[0x18]
19:30:01:265 2008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:30:01:265 2008 DetectCureTDL3: IrpHandler (0) addr: F7894BB0
19:30:01:265 2008 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (2) addr: F7894BB0
19:30:01:265 2008 DetectCureTDL3: IrpHandler (3) addr: F788ED1F
19:30:01:265 2008 DetectCureTDL3: IrpHandler (4) addr: F788ED1F
19:30:01:265 2008 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (9) addr: F788F2E2
19:30:01:265 2008 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (14) addr: F788F3BB
19:30:01:265 2008 DetectCureTDL3: IrpHandler (15) addr: F7892F28
19:30:01:265 2008 DetectCureTDL3: IrpHandler (16) addr: F788F2E2
19:30:01:265 2008 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (22) addr: F7890C82
19:30:01:265 2008 DetectCureTDL3: IrpHandler (23) addr: F789599E
19:30:01:265 2008 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:30:01:265 2008 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:30:01:265 2008 TDL3_FileDetect: Processing driver: Disk
19:30:01:265 2008 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:30:01:265 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:30:01:265 2008 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:30:01:265 2008 
19:30:01:265 2008 DetectCureTDL3: DEVICE_OBJECT: 8737E758
19:30:01:265 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8737E758
19:30:01:265 2008 DetectCureTDL3: DEVICE_OBJECT: 873809E8
19:30:01:265 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873809E8
19:30:01:265 2008 DetectCureTDL3: DEVICE_OBJECT: 87371B00
19:30:01:265 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87371B00
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0x87371B00[0x38]
19:30:01:265 2008 DetectCureTDL3: DRIVER_OBJECT: 8731FE18
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0x8731FE18[0xA8]
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0xE101A170[0x1A]
19:30:01:265 2008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:30:01:265 2008 DetectCureTDL3: IrpHandler (0) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (1) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (2) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (3) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (4) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (5) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (6) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (7) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (8) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (9) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (10) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (11) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (12) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (13) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (14) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (15) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (16) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (17) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (18) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (19) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (20) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (21) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (22) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (23) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (24) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (25) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: IrpHandler (26) addr: 87285008
19:30:01:265 2008 DetectCureTDL3: All IRP handlers pointed to one addr: 87285008
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0x87285008[0x400]
19:30:01:265 2008 TDL3_IrpHookDetect: CheckParameters: 0, 0, 0, 0, 0, 0
19:30:01:265 2008 KLMD_ReadMem: Trying to ReadMemory 0xF7750864[0x400]
19:30:01:265 2008 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:30:01:265 2008 TDL3_FileDetect: Processing driver: atapi
19:30:01:265 2008 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:30:01:265 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
19:30:01:296 2008 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
19:30:01:296 2008 
19:30:01:296 2008 DetectCureTDL3: DEVICE_OBJECT: 873852E0
19:30:01:296 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873852E0
19:30:01:296 2008 DetectCureTDL3: DEVICE_OBJECT: 87373AC0
19:30:01:296 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87373AC0
19:30:01:296 2008 DetectCureTDL3: DEVICE_OBJECT: 87372940
19:30:01:296 2008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87372940
19:30:01:296 2008 KLMD_ReadMem: Trying to ReadMemory 0x87372940[0x38]
19:30:01:296 2008 DetectCureTDL3: DRIVER_OBJECT: 8731FE18
19:30:01:296 2008 KLMD_ReadMem: Trying to ReadMemory 0x8731FE18[0xA8]
19:30:01:296 2008 KLMD_ReadMem: Trying to ReadMemory 0xE101A170[0x1A]
19:30:01:296 2008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:30:01:296 2008 DetectCureTDL3: IrpHandler (0) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (1) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (2) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (3) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (4) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (5) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (6) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (7) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (8) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (9) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (10) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (11) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (12) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (13) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (14) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (15) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (16) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (17) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (18) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (19) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (20) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (21) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (22) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (23) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (24) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (25) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: IrpHandler (26) addr: 87285008
19:30:01:296 2008 DetectCureTDL3: All IRP handlers pointed to one addr: 87285008
19:30:01:296 2008 KLMD_ReadMem: Trying to ReadMemory 0x87285008[0x400]
19:30:01:296 2008 TDL3_IrpHookDetect: CheckParameters: 0, 0, 0, 0, 0, 0
19:30:01:296 2008 KLMD_ReadMem: Trying to ReadMemory 0xF7750864[0x400]
19:30:01:296 2008 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:30:01:296 2008 TDL3_FileDetect: Processing driver: atapi
19:30:01:296 2008 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:30:01:296 2008 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
19:30:01:296 2008 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
19:30:01:296 2008 
19:30:01:296 2008 Completed
19:30:01:296 2008 
19:30:01:296 2008 Results:
19:30:01:296 2008 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:30:01:296 2008 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:30:01:296 2008 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:30:01:296 2008 
19:30:01:296 2008 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:30:01:296 2008 UtilityDeinit: KLMD(ARK) unloaded successfully


----------



## ReverendLisa

Thank you I have posted the log from TDSS Killer. 

Reverend Lisa


----------



## dvk01

looks like main infection has gone

Please download Malwarebytes' Anti-Malware to your desktop
from HERE or  HERE 

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded. 
Once the program has loaded, select Perform quick scan, then click Scan. 
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. 
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert) 
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot


----------



## ReverendLisa

Malwarebytes' Anti-Malware 1.44
Database version: 3618
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/25/2010 5:53:12 PM
mbam-log-2010-01-25 (17-53-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 259506
Time elapsed: 1 hour(s), 12 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{34456B23-6429-43D0-920F-5DEBC70C0317}\RP840\A0102952.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{34456B23-6429-43D0-920F-5DEBC70C0317}\RP840\A0102953.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{34456B23-6429-43D0-920F-5DEBC70C0317}\RP840\A0103034.sys (Malware.Trace) -> Quarantined and deleted successfully.


----------



## ReverendLisa

I rebooted without any trouble, I assume it is alright to turn my AVG back on?

Thank You
Reverend Lisa


----------



## dvk01

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## ReverendLisa

Done !
Thank you so much everyone for all that you did to help me ! And if you are planning to get married or renew your vows !! I will do it for free ! And I can Skype !

Thank you 
Reverend Lisa


----------

