NEED HELP with Malware TDSS

Hi,

I have malware (think TDSS)in my machine running Windows XP SP3. I have used programmes like malwarebytes and hitman pro(containing other anti-spyware programmes) but nothing helped. Besides this my pc crashes and restart when i search for tdss files and when malwarebytes is searching for malware.

I read the post of girikumar_s who has the same problem as i, and i already removed c:\windows\system32\tdssosvd.dat but the other file that causes my pc to crash i couldn't find: c:\windows\system32\drivers\tdss****.sys there were some other tdss names files which i also removed, but my pc keeps crashing!

Then i downloaden and run Combofix. At first my pc crashed when running combofix for the first time, which leaded to the fact that i dont have "explorer" (in windows) not internet explorer, so i dont see the start at the left of my screen.

But i managed to run Combofix succesfully when in safemode as administrator. I will post the log in my next post.

Please help me to solve this problem, thank you in advance

Tobias

ComboFix 08-12-11.05 - Administrator 2008-12-12 13:29:12.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.821 [GMT 1:00]
Gestart vanuit: c:\program files\Combofix\ComboFix.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Gerarda Wieten\Gerarda Wieten.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\windows\csrss.exe
c:\windows\system32\.exe
c:\windows\system32\Drivers\Wintd40.sys
c:\windows\system32\ftpupd.exe
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\wertyu.dll
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Legacy_WINTD40
-------\Service_TDSSserv.sys
-------\Service_Wintd40


(((((((((((((((((((( Bestanden Gemaakt van 2008-11-12 to 2008-12-12 ))))))))))))))))))))))))))))))
.

2008-12-12 13:26 . 2006-11-11 22:11 d--h----- c:\documents and settings\Administrator\Sjablonen
2008-12-12 13:26 . 2006-11-11 22:59 d--h----- c:\documents and settings\Administrator\Onlangs geopend
2008-12-12 13:26 . 2006-11-11 22:59 d--h----- c:\documents and settings\Administrator\Netwerkprinteromgeving
2008-12-12 13:26 . 2006-11-11 22:59 d-------- c:\documents and settings\Administrator\Mijn documenten
2008-12-12 13:26 . 2006-11-11 22:59 dr------- c:\documents and settings\Administrator\Menu Start
2008-12-12 13:26 . 2006-11-11 22:59 d-------- c:\documents and settings\Administrator\Favorieten
2008-12-12 13:26 . 2008-12-11 13:35 d-------- c:\documents and settings\Administrator\Bureaublad
2008-12-12 13:26 . 2008-12-12 13:26 d-------- c:\documents and settings\Administrator
2008-12-12 12:27 . 2008-12-12 12:27 d-------- c:\program files\Combofix
2008-12-12 12:12 . 2008-12-12 12:12 d-------- c:\program files\Hijack This
2008-12-12 12:07 . 2008-12-12 12:10 d-------- c:\program files\Superantispyware
2008-12-12 01:04 . 2008-12-12 01:04 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 01:04 . 2008-12-12 01:04 d-------- c:\documents and settings\Gerarda Wieten\Application Data\Malwarebytes
2008-12-12 01:04 . 2008-12-12 01:04 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 01:04 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 01:04 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 20:57 . 2008-12-11 20:57 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-11 20:57 . 2008-12-11 20:57 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-11 20:57 . 2008-12-11 20:57 164 --a------ C:\install.dat
2008-12-11 20:54 . 2008-12-12 11:51 d-------- c:\program files\Spybot - Search & Destroy
2008-12-11 15:34 . 2008-12-12 12:13 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-11 15:33 . 2008-12-11 15:34 d-------- c:\program files\Adware
2008-12-11 14:57 . 2008-12-11 14:57 dr-h----- c:\documents and settings\Gerarda Wieten\Onlangs geopend
2008-12-08 19:16 . 2008-12-08 19:16 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-08 19:16 . 2008-12-08 19:16 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-08 13:47 . 2008-12-08 13:47 d----c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-12-08 13:42 . 2008-12-08 13:47 d-------- C:\b90c1343c42bcb5bdb2d
2008-12-08 13:42 . 2008-12-08 13:42 dr-h----- C:\AHCache
2008-12-08 13:41 . 2008-12-08 13:41 d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-08 11:27 . 2008-12-08 11:27 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-08 11:27 . 2008-12-08 11:27 1,409 --a------ c:\windows\QTFont.for
2008-12-08 11:12 . 2008-12-08 11:12 d-------- c:\program files\Microsoft Silverlight
2008-12-05 00:55 . 2008-12-05 00:55 d-------- c:\program files\Google Virus Verwijderaar
2008-11-28 18:31 . 2008-11-28 18:38 d-------- c:\windows\SxsCaPendDel
2008-11-27 23:06 . 2008-12-12 11:49 d-------- c:\program files\CCleaner
2008-11-27 17:22 . 2008-11-27 17:22 14,848 --a------ c:\windows\system32\getwn32.dll
2008-11-12 08:24 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 08:23 . 2008-09-04 18:17 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 11:58 --------- d-----w c:\program files\Spamfilter
2008-12-12 10:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 10:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-11 14:25 --------- d-----w c:\program files\Deamon Tools(spelletjes)
2008-12-11 14:17 6,656 ----a-w c:\windows\system32\drivers\aeaudio.sys
2008-12-11 12:54 --------- d-----w c:\program files\Torrentz
2008-12-11 12:36 --------- d-----w c:\program files\ESET
2008-12-11 12:31 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\Lavasoft
2008-12-11 11:57 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\uTorrent
2008-12-08 10:29 --------- d-----w c:\program files\QuickTime
2008-12-05 02:18 31,104 ----a-w c:\windows\system32\drivers\Winec07.sys
2008-12-05 00:11 31,104 ----a-w c:\windows\system32\drivers\Wintw81.sys
2008-12-03 22:18 98,304 ----a-w c:\windows\DUMP5709.tmp
2008-11-28 17:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 17:29 --------- d-----w c:\program files\Philips
2008-11-28 08:04 --------- d-----w c:\program files\WinZix
2008-11-27 22:31 --------- d-----w c:\program files\Hitman Pro
2008-11-27 19:21 --------- d-----w c:\program files\Google
2008-11-11 10:45 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\Canon
2008-11-09 15:09 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\SPAMfighter
2008-11-09 15:08 --------- d-----w c:\program files\Common Files\Application
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:43 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:33 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-13 21:10 23,752 ----a-w c:\documents and settings\Gerarda Wieten\Application Data\GDIPFONTCACHEV1.DAT
2008-10-03 10:05 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:28 1,846,528 ----a-w c:\windows\system32\win32k.sys
2006-11-20 08:42 61 --sh--w c:\windows\cnerolf.dat
2008-09-01 20:30 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008090120080902\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\program files\Norton Antivirus\vptray.exe" [2001-09-24 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SPAMfighter Agent"="c:\program files\Spamfilter\SFAgent.exe" [2008-10-22 325768]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-08 413696]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"iTunesHelper"="c:\program files\iPod\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-14 57344]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winec07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintw81.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iPod\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Torrentz\\utorrent.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Ontspan\\PES 6\\PES6.exe"=
"c:\\Program Files\\Msn Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Msn Messenger\\livecall.exe"=

R1 SSHDRV76;SSHDRV76;\??\c:\windows\system32\drivers\SSHDRV76.sys [2008-03-01 53760]
S0 Winec07;Winec07;c:\windows\system32\Drivers\Winec07.sys [2006-11-11 31104]
S0 Wintw81;Wintw81;c:\windows\system32\Drivers\Wintw81.sys [2006-11-11 31104]
S2 fips32cup;fips32cup;\??\c:\windows\system32\drivers\fips32cup.sys [2004-08-04 30592]
S2 SPAMfighter Update Service;SPAMfighter Update Service;"c:\program files\Spamfilter\sfus.exe" [2008-10-22 184968]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-12 38496]
.
Inhoud van de 'Gedeelde Taken' map

2008-12-12 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\Google Virus Verwijderaar\XoftSpy.exe [2008-12-03 19:05]

2008-12-11 c:\windows\Tasks\XoftSpySE.job
- c:\program files\Google Virus Verwijderaar\XoftSpy.exe [2008-12-03 19:05]
.
- - - - ORPHANS VERWIJDERD - - - -

HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
HKLM-Run-Hitman Pro Expiration Helper - c:\program files\Hitman Pro\Hitman Pro\xphelper.exe


.
------- Bijkomende Scan -------
.
mStart Page = hxxp://www.google.nl

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\MaxisGolfTeleX.ocx
O16 -: {08EE4BCE-527E-4760-B11A-B829415E9103}
hxxp://www.simgolf.ea.com/teleport/simgolf/MaxisGolfTeleX.cab
c:\windows\Downloaded Program Files\MaxisGolfTeleX.inf

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\JordanApplet.dll
O16 -: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE}
hxxp://ips.poi.de/ips-opdata/layout/fnac/objects/jordan.cab
c:\windows\Downloaded Program Files\jordanapplet.inf

c:\windows\Downloaded Program Files\PlaNetSysInfo.dll - O16 -: {3E90FFF5-1347-45B9-91F6-DA47926E9697}
hxxp://online-virusscan.casema.nl/systemcheck/PlaNetSysInfo.cab
c:\windows\Downloaded Program Files\PlaNetSysInfo.osd

c:\windows\Downloaded Program Files\instwact.dll - O16 -: {91F52A42-C10D-49A7-B941-882C657C604F}
hxxp://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 13:31:16
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\System32\NavLogon.dll
.
Voltooingstijd: 2008-12-12 13:32:01
ComboFix-quarantined-files.txt 2008-12-12 12:31:54

Pre-Run: 36.411.445.248 bytes beschikbaar
Post-Run: 36,401,352,704 bytes beschikbaar

207 --- E O F --- 2008-12-09 23:29:44

This is my HIJACK THIS LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:57:51, on 12-12-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/malware-in-machine-brastk-karna-tdss-t4125.htm?highlight=tdss
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton Antivirus\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\Spamfilter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.nl/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {08EE4BCE-527E-4760-B11A-B829415E9103} (MaxisGolfTeleX Control) - http://www.simgolf.ea.com/teleport/simgolf/MaxisGolfTeleX.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://ips.poi.de/ips-opdata/layout/fnac/objects/jordan.cab
O16 - DPF: {3E90FFF5-1347-45B9-91F6-DA47926E9697} (PlaNet SysInfo Agent) - http://online-virusscan.casema.nl/systemcheck/PlaNetSysInfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116w.bay116.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) - http://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Norton Antivirus\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Norton Antivirus\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\Spamfilter\sfus.exe

--
End of file - 7182 bytes

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Winec07
Wintw81
fips32cup

File::
c:\windows\system32\drivers\fips32cup.sys
c:\windows\system32\Drivers\Winec07.sys
c:\windows\system32\Drivers\Wintw81.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winec07.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintw81.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.