Apparently I have a virus in which all my programs are infected

I am unable to access any programs. It keeps sending me to a website: http://platinum-antivir.com/purchase?r=57.15 and everything is supposedly infected: taskmgr.exe, mmc.exe, rundll32.ex, etc are infected. It keeps asking if I want to activate my antivirus software now. It also keeps opening a IE browser sending me to sites such as porno.org or viagra.com. Help please. I'm on my desktop but the infection is on my laptop.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Thank you for your prompt response. Unfortunately, I can not access any website from my laptop. I temporarily disabled AVG and that's as far as I got. Every page I visit reads: 'Internet Explorer Warning - visiting this website may harm your computer!' It gives me 3 options: 'Purchase for secure Internet surfing (Recommended)', 'Check your computer for viruses and malware.' and 'More Information'. All three links take me to that website I listed earlier to purchase 'Antivirus Live'.

A Windows Security alert window opens in the bottom right and says 'Application cannot be executed. The file blabhbla.exe is infected. Do you want to activate your antivirus software now?'

Please transfer that file from another clean computer, to the infected one via Flash Drive.

YAYYYY...I'm on my laptop now.

I had to restart the computer and start the program right away to trick the virus or else it would've shut the install down and say it's infected. Here's the log: (does it give away any incriminating evidence?...hope not). Thanks for the help.

ComboFix 09-12-29.06 - Tiffany Stephens 12/30/2009 19:31:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1202 [GMT -7:00]
Running from: c:\documents and settings\Tiffany Stephens\Desktop\commy.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 1

/wow section - STAGE 2

/wow section - STAGE 3

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: ProgramsFile
PEV Error: ProgramsFolder
PEV Error: StartUpFile
PEV Error: TemplatesFile
PEV Error: TemplatesFolder
PEV Error: UserFile
PEV Error: UserFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh
c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh\ofuhsysguard.exe
c:\windows\system32\xtemp1.exe
c:\windows\system32\xtemp2.exe
c:\windows\Temp\log.txt

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 02:00 . 2009-12-31 02:00 0 ----a-w- c:\documents and settings\Tiffany Stephens\Application Data\U3\01646018E142C9D1\cleanup.exe
2009-12-16 03:43 . 2009-12-16 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-12-16 00:32 . 2009-12-16 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-12 01:35 . 2009-12-12 01:33 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-08 04:26 . 2009-12-08 04:27 -------- d-----w- c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\CutePDF Writer
2009-12-08 04:05 . 2009-12-31 02:16 -------- d-----w- c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\AskToolbar
2009-12-08 04:04 . 2009-12-08 04:04 -------- d-----w- c:\program files\GPLGS
2009-12-08 04:00 . 2009-11-05 15:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-12-08 03:59 . 2009-12-08 03:59 -------- d-----w- c:\program files\Acro Software
2009-12-08 03:59 . 2009-12-08 03:59 -------- d-----w- c:\program files\Ask.com
2009-12-07 03:44 . 2009-12-07 03:44 -------- d-----w- c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 02:39 . 2007-08-07 22:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 02:00 . 2008-11-13 01:48 -------- d-----w- c:\documents and settings\Tiffany Stephens\Application Data\U3
2009-12-28 19:39 . 2009-11-23 22:17 79488 ----a-w- c:\documents and settings\Tiffany Stephens\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 02:32 . 2008-03-20 02:27 -------- d-----w- c:\documents and settings\Tiffany Stephens\Application Data\LimeWire
2009-12-21 18:29 . 2008-11-06 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-15 04:42 . 2007-08-07 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-28 22:19 . 2008-11-06 06:21 -------- d-----w- c:\program files\QuickTime
2009-11-28 22:18 . 2009-11-28 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-28 22:17 . 2009-11-28 22:17 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 22:16 . 2009-11-28 22:16 -------- d-----w- c:\program files\Apple Software Update
2009-11-28 22:16 . 2009-11-28 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-29 07:46 . 2007-04-18 12:31 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-05 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-05 03:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-05 03:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-05 03:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-05 03:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-05 03:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-05 03:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-05 03:00 112128 ----a-w- c:\windows\system32\rastls.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-10-27 20:48 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-10-27 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-10-27 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-06 39408]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-06 2356088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-07 1015808]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-04-28 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-04-28 26248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2007-02-20 61440]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-10 198160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-11-5 45056]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-7-26 1114217]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 15:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/23/2008 11:17 AM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/30/2009 10:39 PM 297752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/23/2008 3:50 PM 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-12-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Tiffany Stephens.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-04-28 00:08]

2009-12-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-10-27 20:48]

2009-12-31 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-02 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1<mpl=default<mplcache=2
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-tmeodjdd - c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh\ofuhsysguard.exe
HKLM-Run-eLockMonitor - c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
HKLM-Run-tmeodjdd - c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh\ofuhsysguard.exe



**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:72,8a,64,75,69,46,2a,b7,f7,cd,c0,05,32,ce,82,07,21,d9,d9,d7,53,
93,03,12,82,f3,9a,b8,8c,1d,57,6a,5d,cc,37,f5,a5,51,97,75,4d,38,51,cc,4a,15,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:72,8a,64,75,69,46,2a,b7,f7,cd,c0,05,32,ce,82,07,21,d9,d9,d7,53,
93,03,12,82,f3,9a,b8,8c,1d,57,6a,5d,cc,37,f5,a5,51,97,75,4d,38,51,cc,4a,15,\
.
Completion time: 2009-12-30 19:40:47
ComboFix-quarantined-files.txt 2009-12-31 02:40

Pre-Run: 16,723,918,848 bytes free
Post-Run: 17,561,100,288 bytes free

- - End Of File - - 07178CF989168C5DDC59130A5E5D63EA

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

I've tried to do the scan several times. It stops at a file \Device\000000d2. A window appeared once and says: 'gmer.exe has encountered a problem and needs to close.' and it gives me the options to 'Send Error Report' and 'Don't Send'. The other times the scan window would close and freeze up my computer and so I would have to restart. Thanks for your help.

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.



Save it into the gmer folder as File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

I have tried to do this scan about 15+ times and everytime I return to my computer, it restarts and, sometimes, I get an error message to 'Send Error Report'. Please help, very frustrated, sorry it took so long but would really like to get everything resolved before moving forward. Thank you for everything.

Let's try something different.

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).

Thank you for your help.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/26 20:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA7999000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA638000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5F44000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "" at address 0x8a5c7190

#: 013 Function Name: NtAlertThread
Status: Hooked by "" at address 0x8a5ae190

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "" at address 0x8a4b9218

#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x8a5822b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdd020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "" at address 0x8a4a6080

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0x8a52cda8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdd2a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdd800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "" at address 0x8a41b6c0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "" at address 0x8a5a6190

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "" at address 0x8a5ab190

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "" at address 0x8a68b998

#: 114 Function Name: NtOpenEvent
Status: Hooked by "" at address 0x8a5a2190

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "" at address 0x8a423360

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "" at address 0x8a5ac260

#: 206 Function Name: NtResumeThread
Status: Hooked by "" at address 0x8a4e7170

#: 213 Function Name: NtSetContextThread
Status: Hooked by "" at address 0x8a6ff368

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "" at address 0x8a5ac2f0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "" at address 0x8a5aef30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdda50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "" at address 0x8a5ca530

#: 254 Function Name: NtSuspendThread
Status: Hooked by "" at address 0x8a5ae158

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0x8a5cc178

#: 258 Function Name: NtTerminateThread
Status: Hooked by "" at address 0x8a5d2148

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "" at address 0x8a583180

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "" at address 0x8a4577f0

==EOF==

Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

Here you go....

23:06:09:078 5888 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
23:06:09:078 5888 ================================================================================
23:06:09:078 5888 SystemInfo:

23:06:09:078 5888 OS Version: 5.1.2600 ServicePack: 2.0
23:06:09:078 5888 Product type: Workstation
23:06:09:078 5888 ComputerName: ACER-47CBE8A5ED
23:06:09:078 5888 UserName: *My Name*
23:06:09:078 5888 Windows directory: C:\WINDOWS
23:06:09:078 5888 Processor architecture: Intel x86
23:06:09:078 5888 Number of processors: 2
23:06:09:078 5888 Page size: 0x1000
23:06:09:078 5888 Boot type: Normal boot
23:06:09:078 5888 ================================================================================
23:06:09:093 5888 UnloadDriverW: NtUnloadDriver error 2
23:06:09:093 5888 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:06:09:093 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
23:06:09:109 5888 UtilityInit: KLMD drop and load success
23:06:09:109 5888 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
23:06:09:109 5888 UtilityInit: KLMD open success
23:06:09:109 5888 UtilityInit: Initialize success
23:06:09:109 5888
23:06:09:109 5888 Scanning Services ...
23:06:09:109 5888 CreateRegParser: Registry parser init started
23:06:09:109 5888 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
23:06:09:109 5888 CreateRegParser: DisableWow64Redirection error
23:06:09:109 5888 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:06:09:109 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
23:06:09:109 5888 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:06:09:109 5888 wfopen_ex: Trying to KLMD file open
23:06:09:109 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
23:06:09:109 5888 wfopen_ex: File opened ok (Flags 2)
23:06:09:109 5888 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: AD4A08
23:06:09:109 5888 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:06:09:109 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
23:06:09:109 5888 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:06:09:109 5888 wfopen_ex: Trying to KLMD file open
23:06:09:109 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
23:06:09:109 5888 wfopen_ex: File opened ok (Flags 2)
23:06:09:109 5888 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: AD4AB0
23:06:09:109 5888 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
23:06:09:109 5888 CreateRegParser: EnableWow64Redirection error
23:06:09:109 5888 CreateRegParser: RegParser init completed
23:06:09:546 5888 GetAdvancedServicesInfo: Raw services enum returned 397 services
23:06:09:546 5888 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:06:09:546 5888 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:06:09:546 5888
23:06:09:546 5888 Scanning Kernel memory ...
23:06:09:546 5888 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:06:09:546 5888 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A715A60
23:06:09:546 5888 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
23:06:09:546 5888
23:06:09:546 5888 DetectCureTDL3: DEVICE_OBJECT: 88D11030
23:06:09:546 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88D11030
23:06:09:546 5888 KLMD_ReadMem: Trying to ReadMemory 0x88D11030[0x38]
23:06:09:546 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:546 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:546 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:546 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:546 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:546 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:546 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:546 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:546 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:546 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:546 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:546 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:546 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:546 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:546 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:546 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:546 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:546 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:562 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:562 5888
23:06:09:562 5888 DetectCureTDL3: DEVICE_OBJECT: 8A6BFC68
23:06:09:562 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6BFC68
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A6BFC68[0x38]
23:06:09:562 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:562 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:562 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:562 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:562 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:562 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:562 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:562 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:562 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:562 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:562 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:562 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:562 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:562 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:562 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:562 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:562 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:562 5888
23:06:09:562 5888 DetectCureTDL3: DEVICE_OBJECT: 8A714C68
23:06:09:562 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A714C68
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A714C68[0x38]
23:06:09:562 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:578 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:578 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:578 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:578 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:578 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:578 5888
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A712C68
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A712C68
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A712C68[0x38]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:578 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:578 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:578 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:578 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:578 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:578 5888
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A70EAB8
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A70EAB8
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A6F6030
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6F6030
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A6D3940
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6D3940
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A6D3940[0x38]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT: 8A6F5528
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A6F5528[0xA8]
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xE17768C8[0x1A]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
23:06:09:578 5888 DetectCureTDL3: IrpHandler (0) addr: B9E18572
23:06:09:578 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (2) addr: B9E18572
23:06:09:578 5888 DetectCureTDL3: IrpHandler (3) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (4) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (9) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (14) addr: B9E18592
23:06:09:578 5888 DetectCureTDL3: IrpHandler (15) addr: B9E147B4
23:06:09:578 5888 DetectCureTDL3: IrpHandler (16) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (22) addr: B9E185BC
23:06:09:578 5888 DetectCureTDL3: IrpHandler (23) addr: B9E1F164
23:06:09:578 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xB9E157C6[0x400]
23:06:09:578 5888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
23:06:09:578 5888 TDL3_FileDetect: Processing driver: atapi
23:06:09:578 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
23:06:09:578 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
23:06:09:578 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
23:06:09:578 5888
23:06:09:578 5888 Completed
23:06:09:578 5888
23:06:09:578 5888 Results:
23:06:09:578 5888 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:06:09:578 5888 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:06:09:593 5888 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:06:09:593 5888
23:06:09:593 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
23:06:09:593 5888 UtilityDeinit: KLMD(ARK) unloaded successfully

Running from: C:\Documents and Settings\Tiffany Stephens\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Tiffany Stephens\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Please download V-Tool, and save to your Desktop.

• Double-click on vtool.zip, and extract the file to your Desktop.
  
• Double-click on vtool.cmd to start.
  
• !! IMPORTANT !!::: At each prompt ("Press any key to continue..."), wait 10 seconds before pressing a key. This tool needs time to process each prompt.
  
• It will finish eventually and launch a log. Do NOT exit the tool. Allow it to finish. (vtool.txt)
  
• Post the contents of it in your next reply.