BOO/TDSS.M

Hello.

I sincerely apologize for my long absence (and subsequent removal) from the GPA, but that's not why I'm here.

My computer has been infected wtih what my mom and I believe to be the new TDSS variant. The title of the topic is the name of the infection Avira found before everythng went to hell.

Currently, my mom is doing everything she can to get rid of it, but nothing seems to work. None of the TDSS rootkits we found mentioned in removal guides seem to be found in the registry. It is acting like a fake AV and when the computer is connected to the internet will pop up IE windows. It also tried to add an add-on to Firefox, but I told it no.

On a subsequent restart, it seems to have killed my mouse driver; Mom is doing everthing the old-fashioned way with the keyboard. Currently, we're only using the computer in Safe Mode. We think it's reinfecting through one of my portable hard drives. We can't use Avira, and the virus is blocking MBAM. Right now, I'm on my mom's Vista, but the infected computer is the one whose specs are on my profile.

Can you help us get rid of the virus?

Thanks,
Miri

Edit: I forgot to mention, we currently have the computer disconnected from the internet to prevent the virus from spreading. SHould we reconnect and run the fixes from that computer, or should we do the burn-it-to-a-CD thing from this one?

Hello.
Reconnect it to the net, we may need internet access.

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

My computer appears to be taking forever to start up; I replugged the mouse into a diferent USB, mom says that on XP that resets the driver. CHecking to see if it works... Nope. Mouse doesn't work still. It'll take a little bit to tab around and stuff, so please be patient with me~ I'm not used to doing things with just the keyboard.

Edit: Now that I'm actually in my computer, it took a few minutes but my mouse appears to be working. However, my computer came up with no UI, just two windows, the fake ativirus and a "Personalised Settings: Setting up personalized settings for: Google Search Provider." It was after opening task manager and attempting to end the XP Anti-Virus program that my mouse moves but it doesn't seem to have ended. Attempting to end.... YES~ It ended and Windows' UI is coming up normally, the settings window went away with the XP anti-virus warning, most likely it was trying to simulate the virus attack it was telling me was happening. Awww, poor thing, it WAS the virus. I'm wise to your little games you hacker. Was trying to play keep-up with the infected processes in Task Manager to no avail, booting firefox (attempting) so I can access your fixes.

Crap. Virus gave me a message saying Firefox was infected. And its still running. GRAHHHH. Avira popped up with a message saying that it's in my recycle bin now?!?! Okay, trying IE. It seems to have made IE my default browser, too.

Huh. Trying to open IE and somehow Mozilla is now actually running, IE came up too. Seeing if I can get past the, "Mozilla is running in safe mode" and actually into the net with Mozilla, as IE doesn't appear to be doing any..... IE just went away, the virus told me it was infected. Okay, lets see if it'll let Mozilla run.... Hm. IE popped back up, with a fake alert ssaying that Yahoo was infected. *eyeroll* anyway, Mozilla appears to be working. I apologize for the running commentary; being on two comps at once offers a unique pportunity to describe things as they happen; I hope it's useful to you.

Okay, it's not letting me download the tool. It'll come up with the "Save/Run" window, I click Save File, but nothing happens. It appears to be working for a while, then stops.T he name of the website still appears down at the bottom in the bar where it shows loading progres but nothing else. If I roll over a link, that little thing goes away, replaced by the ubiquitous "Done". Any suggestions?

Can you download it via another machine and transfer it via USB? if not, we'll go to boot disc.

Hmmm.... I'd have to find my USB drive. Would the virus be transferrable via that USB, though, if I needed to use it again? I don't want to infect my mom's computer.

Also, I"m sorry I didn't get this message when you posted it, I was up all last night with the stomach crud... blech.

No worries.

Normally TDL doesn't spread via autorun worms, very rarely see it use that method.

Okay. Let me go search for it, but first, I want to try downloading one more time, my computer seems to be in better shape than last time I booted it up (Mouse works from the getgo, virus letting IE run, etc.)

Edit: No, virus won't even let me go to GeekPolice website. It'll start to load, then redirect me to "About:Blank" which says that the webpage is infected. Hunting down a flash drive now; if I can't find it, we may have to burn a CD.

Edit2: Found the flashdrive, about to transfer to the other computer.

Aaaaalright. Everytime I try to open it, it says, "Windows cannot access device, path, or file. You may not have appropriate permissions to access this file." I am running as administrator. WHen I moved the program to the desktop, it still told me the same thing. I ended all of the active virus processes via task manager (whicch didnt' come up normaly, it went to a selection screen like my old school laptop, I clicked 'task manager', had to do that twice, and the username was bizarre, "logged on as (random numbers/letters)/Miranda (my last name)") and tried again, still got the same essage, but as I ended the processes, Avira was able to get through and told me about all kinds of infected files that it was finding, even a garbage .dll file in the system folder.

I hope that helps you somewhat.

Ah ok, try this instead, I wanna see if it runs.

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   
   
   • Download Win32kDiag (Win32kDiag.exe) - #1
     
   • Download Win32kDiag (Win32kDiag.exe) - #2
     
   • Download Win32kDiag (Win32kDiag.exe) - #3
     

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Nope, still getting the same error. Could it have something to do with me using a non-admin account on Vista to download it?

Possibly, but I know of an infection that throws up that error.

We are going to be using a Windows Recovery Environment to help disinfect the system.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
  
• Download OTLPEStd.exe and double-click on it to burn to a CD using ISO Burner.
  
• Reboot your system using the boot CD you just created.
  
  Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
  
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  

• Change Drivers to Non-Microsoft
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved in drive C:\_OTL\MovedFiles
  
• Copy this file to your USB drive if you do not have internet connection on this system
  
• Please post the contents of the OTL.txt file in your reply.
  

.....wow. Vista says it's gonna take half an hour to download that file.

I'm a little worried about this... I've never done anything like booting a computer from CD before.

Edit: ALright, it's downloaded. Time to burn the CD and get this to work....

Last edited by fairydraik on 7th May 2011, 3:14 pm; edited 1 time in total

It's not a hard thing to do, it's just gonna be easier for both of us this way. Rather than fight through whatever blocks the malware has placed, bypass the whole system and boot a CD, that way the malware can't boot as it doesn't need the HDD.

Alright, makes sense. How long should it take for the CD to burn? OTLPEStd is at "0% extracting" right now, doesn't seem to be doing anything.

It can depend on the hardrive the machine has your using to burn it.

I burnt OTLPE for me a few weeks back, took me about 1hr total I'd say, but I'm using a 2.5ghz processor so it's quicker than most.

Mmkay. So it's normal if it doesn't seem to be doing anything at all?

Yes, give it a while, it may take some time to extract and burn if your on a somewhat middle ground machine.

It's been around an hour and hasn't even made it to 1%. SHould I be worried?

(Sorr if I sound a bit paranoid, I'm just... well... paranoid. Maybe it's 'cause I'm still sick...)

Edit: Avira was evidently running a scan, so I turned it off; it was probably interfering with the process....

Edit2: When checking to see if it was still respondin, according to the Task Manager, I found that Windows Defender was running in the background. I ended that as well.

After about three hours, it was still at 0%, so I turned it off. WHen I did so, Windows told me something about it not installing correctly, but I didn't want to mess with it. What now?

Fair enough then, lets see if we can cut through the malware.

Please download Ice Sword from HERE

1. Download the zip to your desktop and extract it.
   
2. Open the Ice Sword folder and then launch IceSword.exe.
   
3. Now, on the left hand side tool, hit the Process button at the top of the list.
   
4. Just above the list, there is a log button, press that and save the log to your Desktop.
   
5. Next, hit the Startup on the left side list.
   
6. Press the log button again.
   
7. Post the two logs in your next reply.
   

oooookay. I got a BSoD when I tried to turn my computer on, I think we need to try the boot disk again.

Edit: No, it's going to let me get in this time. Let's try the IceSword..... if it doesn't work, I can try re-downloading OTLPE

Edit2: On a hunch, I started aswMBR before the computer fully loaded up, and it's RUNNING. I clicked Scan and it's currently working

Here's the text from the scan. I noticed that one of the items ("IRP_MJ_CREATE") is the same or similar to the one that caused my comp to BSoD.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-10 18:06:27
-----------------------------
18:06:27.468 OS Version: Windows 5.1.2600 Service Pack 3
18:06:27.468 Number of processors: 1 586 0x403
18:06:27.546 ComputerName: D94LZ971 UserName:
18:06:50.703 Initialize success
18:07:06.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
18:07:06.859 Disk 0 Vendor: ST380013 8.12 Size: 76293MB BusType: 3
18:07:06.859 Disk 0 MBR read error 0
18:07:06.859 Disk 0 MBR scan
18:07:06.875 Disk 0 unknown MBR code
18:07:06.875 MBR BIOS signature not found 0
18:07:06.875 Disk 0 scanning sectors +156232125
18:07:06.875 Disk 0 scanning C:\WINDOWS\system32\drivers
18:09:10.156 Service scanning
18:09:22.546 Disk 0 trace - called modules:
18:09:22.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89d52730]<<
18:09:22.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a724ab8]
18:09:22.578 3 CLASSPNP.SYS[b8168fd7] -> nt!IofCallDriver -> [0x89cd8de0]
18:09:22.578 \Driver\iaStor[0x89d93d78] -> IRP_MJ_CREATE -> 0x89d52730
18:09:23.093 Scan finished successfully
18:11:16.265 Disk 0 MBR has been saved successfully to "I:\MBR.dat"
18:11:16.343 The log file has been saved successfully to "I:\aswMBR.txt"

Yep, TDL4.

Do you have the XP disc? incase we need it, the fix for this can be dangerous.

Ummmm.... I don't think so, I'd have to ask my mom and dad, and I do have Recovery COnsole installed.

Okay, Mom says I'd have to ask Dad, but like I said, I do have Recovery Console, if that helps any.

Yeah that helps.

Can you back up any data you don't want to lose, this infection isn't nice and fixing it known to cause the machine to become unusable.

hmmmm. So, in other words, do not attempt without a WIndows disk?

Edit: ANd, I don't really know how to go about backing up everything, everything I do is on that computer. I have some 1TB harddrives....

Edit2: If I had to reinstall windows, would my data still be there, except Windows? I don't really know anything about that kind of thing...

You could slave the HDD from the infected machine into another machine, or use a bootable CD with GUI like OTLPE if you can get that working.

Just our tools can't always catch this, and the only other option is the recovery console, but that will restore standard MBR, if you use a custom MBR (OEM with recovery) then it causes the machine to become unbootable, it's a lose lose situation.

Slave? What does that mean?

And how likely is it that my computer uses a custom MBR?

And I suppose I could try to use OTLPE again, JIC.

And... like I asked earlier, if my Windows becomes inoperable, is it possible for me to get my data (like files, etc.) back? (I'm sorry I'm asking so many questions. I just don't feel comfortable starting something risky without knowing about all the possible outcomes.)

Slave? What does that mean?

At the back of every HDD is a little jumper chip, it sets the drive as master or slave. Right now yours will be set as master, switching it to slave makes it secondary to the primary HDD under another machine.

It's not likely being XP, but I can't be 100% certain.

It's possible if something bad does happen, that's why I recommend OTLPE, I've used it myself for my own machine a few months back.

Alright. ANd if I had the Windows disk it would be easier, right?

Edit: Mom says to tell you that it is a Dell computer, that that makes a difference.

Actually since you've already got the RC, don't need the Windows disc really, only need that if were gonna format.

Please reboot your machine.

As it is rebooting, you will notice an extra menu, and an extra option for the Microsoft Windows Recovery Console.

Please select that option to boot the RC, Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

In there, type in the following commands, 1 line at a time.

fixmbr
exit

After the copy command, you may be prompted with a yes/no to confirm the copy, type in "y" to confirm it.

After that, boot back to normal mode and re-run aswmbr, then post the new log.

Okay, so I'm guessing this is where we cross our fingers and pray, right? ALright, lemme copy most of my My Documents folder onto my 1TB, just in case.

Yep, this is the fix.

Being XP I doubt anything bad will happen, but no promises.

Right. Well, I'm copying all of my stuff ontomy 1TB, and according to my comp (when it can even make up it's mind about the time) it's going to take over two hours. *sigh* luckily, I have a fild trip tmorrow which means i get to skip my first class of the day, so I can stay up late babysitting it.

....that's wierd. When I booted Recovery COnsole, it said, "NTLDR is compressed
Press CTRL+ALT+DEL to restart"

Hmm.
Do you think you can get this to run the same way you did with aswmbr?

Please download TDSSKiller from here and save it to your Desktop.

• Doubleclick TDSSKiller.exe to run the tool
  
• Click the Start Scan button
  
• After the scan has finished, click the Close button
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory.

Probably, lemme try it.

Edit: What's the exact ocation of the log it'll create? So I can put it on the flash.

Edit2: I don't know what happened, but ever since I was able to run aswMBR, my computer has been a lot more responsive....

Last edited by fairydraik on 11th May 2011, 6:41 pm; edited 1 time in total

Note:It will also create a log in the C:\ directory.

It says it wants me to select actions for found objects, should I just continue with the default selections?

ANd oops, didn't see that -_-;;;

edit: I just continued witht he default settings, it asked me to reboot to complete the cure. The scan didn't seem to take very long... let's see what it says after restarting.

This is the log after I chose to go with the default settings, it looks like it did skip one item, and after reboot, the virus still appeared to be active. Should I run the tool again, this time not skipping any items?

2011/05/11 14:40:34.0734 3916 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/11 14:40:35.0125 3916 ================================================================================
2011/05/11 14:40:35.0125 3916 SystemInfo:
2011/05/11 14:40:35.0125 3916
2011/05/11 14:40:35.0125 3916 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/11 14:40:35.0125 3916 Product type: Workstation
2011/05/11 14:40:35.0125 3916 ComputerName: D94LZ971
2011/05/11 14:40:35.0125 3916 UserName: Miranda Rian
2011/05/11 14:40:35.0125 3916 Windows directory: C:\WINDOWS
2011/05/11 14:40:35.0125 3916 System windows directory: C:\WINDOWS
2011/05/11 14:40:35.0125 3916 Processor architecture: Intel x86
2011/05/11 14:40:35.0125 3916 Number of processors: 1
2011/05/11 14:40:35.0125 3916 Page size: 0x1000
2011/05/11 14:40:35.0125 3916 Boot type: Normal boot
2011/05/11 14:40:35.0125 3916 ================================================================================
2011/05/11 14:40:35.0812 3916 Initialize success
2011/05/11 14:40:39.0125 4032 ================================================================================
2011/05/11 14:40:39.0125 4032 Scan started
2011/05/11 14:40:39.0125 4032 Mode: Manual;
2011/05/11 14:40:39.0125 4032 ================================================================================
2011/05/11 14:40:40.0671 4032 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/05/11 14:40:41.0015 4032 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/11 14:40:41.0078 4032 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/11 14:40:41.0125 4032 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/11 14:40:41.0187 4032 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/11 14:40:41.0250 4032 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/05/11 14:40:41.0312 4032 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/11 14:40:41.0343 4032 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/05/11 14:40:41.0375 4032 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/05/11 14:40:41.0406 4032 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/11 14:40:41.0437 4032 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/11 14:40:41.0484 4032 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/05/11 14:40:41.0515 4032 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/05/11 14:40:41.0546 4032 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/05/11 14:40:41.0593 4032 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/05/11 14:40:41.0640 4032 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/05/11 14:40:41.0687 4032 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/05/11 14:40:41.0703 4032 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/05/11 14:40:41.0781 4032 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/11 14:40:41.0812 4032 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/11 14:40:41.0921 4032 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/11 14:40:42.0000 4032 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/11 14:40:42.0062 4032 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/11 14:40:42.0140 4032 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/05/11 14:40:42.0187 4032 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/05/11 14:40:42.0281 4032 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/05/11 14:40:42.0328 4032 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/05/11 14:40:42.0406 4032 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/11 14:40:42.0453 4032 BeTwinKeyboard (48650cdd4b2dab817fef0b39a430e955) C:\WINDOWS\system32\drivers\BeTwinKF.sys
2011/05/11 14:40:42.0531 4032 BeTwinMouse (0a680658860662cc81b7b8ed3d037d4a) C:\WINDOWS\system32\drivers\BeTwinMF.sys
2011/05/11 14:40:42.0609 4032 BeTwinSystem (d6a76e727e395933994ffdd3c85fc7f3) C:\WINDOWS\system32\Drivers\BeTwinSystem.sys
2011/05/11 14:40:42.0671 4032 BeTwinVideo (95ebb2a77b0c6bb9186b56cfc93fe060) C:\WINDOWS\system32\drivers\BeTwinVF.sys
2011/05/11 14:40:42.0828 4032 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/05/11 14:40:42.0859 4032 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/11 14:40:42.0921 4032 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/11 14:40:42.0953 4032 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/05/11 14:40:42.0984 4032 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/11 14:40:43.0031 4032 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/11 14:40:43.0078 4032 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/11 14:40:43.0156 4032 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/05/11 14:40:43.0218 4032 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/05/11 14:40:43.0312 4032 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/05/11 14:40:43.0359 4032 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/05/11 14:40:43.0406 4032 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/05/11 14:40:43.0453 4032 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/11 14:40:43.0531 4032 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/11 14:40:43.0593 4032 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/11 14:40:43.0640 4032 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/11 14:40:43.0703 4032 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/11 14:40:43.0765 4032 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/11 14:40:43.0812 4032 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/11 14:40:43.0890 4032 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/11 14:40:44.0000 4032 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/11 14:40:44.0046 4032 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/11 14:40:44.0078 4032 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/05/11 14:40:44.0125 4032 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/11 14:40:44.0156 4032 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/11 14:40:44.0218 4032 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/11 14:40:44.0281 4032 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/11 14:40:44.0359 4032 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/11 14:40:44.0421 4032 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/11 14:40:44.0468 4032 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/11 14:40:44.0531 4032 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/05/11 14:40:44.0593 4032 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/11 14:40:44.0656 4032 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/05/11 14:40:44.0703 4032 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/11 14:40:44.0781 4032 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/11 14:40:44.0796 4032 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/05/11 14:40:44.0828 4032 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/11 14:40:44.0875 4032 iaStor (88b1943ecff661f765228099138cf6ab) C:\WINDOWS\system32\drivers\iaStor.sys
2011/05/11 14:40:44.0921 4032 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/11 14:40:44.0968 4032 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/05/11 14:40:45.0046 4032 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/05/11 14:40:45.0109 4032 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/05/11 14:40:45.0156 4032 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/05/11 14:40:45.0187 4032 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/11 14:40:45.0250 4032 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/11 14:40:45.0328 4032 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/11 14:40:45.0375 4032 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/11 14:40:45.0437 4032 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/11 14:40:45.0484 4032 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/11 14:40:45.0562 4032 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/11 14:40:45.0609 4032 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/11 14:40:45.0656 4032 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/11 14:40:45.0718 4032 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/11 14:40:45.0750 4032 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/11 14:40:45.0796 4032 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/11 14:40:45.0859 4032 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/11 14:40:45.0968 4032 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
2011/05/11 14:40:46.0015 4032 LVRS (b6e1ccd6572984adcae68439afd07011) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/05/11 14:40:46.0203 4032 LVUVC (6c42815dd57e397f0cd988304b5eb4b3) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/05/11 14:40:46.0328 4032 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/11 14:40:46.0359 4032 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/11 14:40:46.0390 4032 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/11 14:40:46.0437 4032 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/05/11 14:40:46.0484 4032 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/11 14:40:46.0515 4032 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/11 14:40:46.0578 4032 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/11 14:40:46.0640 4032 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/05/11 14:40:46.0671 4032 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/11 14:40:46.0734 4032 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/11 14:40:46.0796 4032 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/11 14:40:46.0843 4032 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/11 14:40:46.0906 4032 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/11 14:40:46.0937 4032 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/11 14:40:46.0984 4032 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/11 14:40:47.0031 4032 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/11 14:40:47.0109 4032 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/11 14:40:47.0156 4032 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/11 14:40:47.0218 4032 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/11 14:40:47.0312 4032 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/11 14:40:47.0359 4032 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/11 14:40:47.0421 4032 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/11 14:40:47.0484 4032 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/11 14:40:47.0531 4032 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/11 14:40:47.0593 4032 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/11 14:40:47.0640 4032 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/11 14:40:47.0750 4032 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/11 14:40:47.0859 4032 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
2011/05/11 14:40:48.0046 4032 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/11 14:40:48.0140 4032 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/11 14:40:48.0875 4032 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/11 14:40:49.0265 4032 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/11 14:40:49.0296 4032 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/11 14:40:49.0359 4032 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/05/11 14:40:49.0437 4032 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/05/11 14:40:49.0500 4032 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
2011/05/11 14:40:49.0562 4032 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/11 14:40:49.0609 4032 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/11 14:40:49.0656 4032 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/11 14:40:49.0718 4032 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/11 14:40:49.0781 4032 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/11 14:40:49.0843 4032 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/11 14:40:49.0968 4032 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/05/11 14:40:50.0000 4032 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/05/11 14:40:50.0125 4032 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/11 14:40:50.0156 4032 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/11 14:40:50.0218 4032 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/11 14:40:50.0296 4032 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/11 14:40:50.0343 4032 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/05/11 14:40:50.0375 4032 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/05/11 14:40:50.0406 4032 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/05/11 14:40:50.0437 4032 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/05/11 14:40:50.0468 4032 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/05/11 14:40:50.0515 4032 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/11 14:40:50.0578 4032 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/11 14:40:50.0609 4032 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/11 14:40:50.0656 4032 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/11 14:40:50.0703 4032 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/11 14:40:50.0750 4032 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/11 14:40:50.0812 4032 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/11 14:40:50.0875 4032 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/11 14:40:50.0937 4032 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/11 14:40:51.0078 4032 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/11 14:40:51.0171 4032 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/05/11 14:40:51.0234 4032 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/11 14:40:51.0312 4032 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/11 14:40:51.0375 4032 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/11 14:40:51.0468 4032 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/05/11 14:40:51.0515 4032 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/11 14:40:51.0578 4032 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/11 14:40:51.0609 4032 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/05/11 14:40:51.0640 4032 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/11 14:40:51.0703 4032 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/05/11 14:40:51.0703 4032 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/05/11 14:40:51.0718 4032 sptd - detected LockedFile.Multi.Generic (1)
2011/05/11 14:40:51.0750 4032 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/11 14:40:51.0812 4032 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/11 14:40:51.0859 4032 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/05/11 14:40:51.0937 4032 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/11 14:40:51.0984 4032 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/11 14:40:52.0015 4032 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/11 14:40:52.0093 4032 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/11 14:40:52.0125 4032 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/11 14:40:52.0140 4032 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/11 14:40:52.0171 4032 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/11 14:40:52.0234 4032 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/11 14:40:52.0328 4032 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/11 14:40:52.0390 4032 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/11 14:40:52.0453 4032 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/11 14:40:52.0500 4032 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/11 14:40:52.0578 4032 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/05/11 14:40:52.0640 4032 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/11 14:40:52.0671 4032 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/05/11 14:40:52.0750 4032 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/11 14:40:52.0828 4032 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/11 14:40:52.0875 4032 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/11 14:40:52.0921 4032 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/11 14:40:52.0984 4032 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/11 14:40:53.0031 4032 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/11 14:40:53.0078 4032 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/11 14:40:53.0109 4032 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/11 14:40:53.0171 4032 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/11 14:40:53.0250 4032 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/05/11 14:40:53.0328 4032 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/11 14:40:53.0359 4032 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/05/11 14:40:53.0390 4032 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/11 14:40:53.0453 4032 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/11 14:40:53.0515 4032 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/11 14:40:53.0625 4032 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/11 14:40:53.0718 4032 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/11 14:40:53.0828 4032 winusb (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.SYS
2011/05/11 14:40:53.0937 4032 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/11 14:40:54.0031 4032 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/11 14:40:54.0140 4032 \HardDisk3 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/11 14:40:54.0218 4032 ================================================================================
2011/05/11 14:40:54.0218 4032 Scan finished
2011/05/11 14:40:54.0218 4032 ================================================================================
2011/05/11 14:40:54.0250 4012 Detected object count: 2
2011/05/11 14:48:00.0187 4012 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/05/11 14:48:00.0218 4012 \HardDisk3 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/11 14:48:00.0218 4012 \HardDisk3 - ok
2011/05/11 14:48:00.0218 4012 Rootkit.Win32.TDSS.tdl4(\HardDisk3) - User select action: Cure
2011/05/11 14:48:17.0265 3856 Deinitialize success

Hello.
No, leave TDSSKiller now. The items skipped is legit, it's just TDSSKiller flags locked files.

That killed the MBR infection. Lets try OTL now.

Download OTL by OldTimer to your Desktop.

• Close all windows and double click OTL.exe
  
• Click Run Scan and let the program run uninterrupted
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

Good news! Now that soome of the virus is dead, I can get on GP from my own computer, where I am right now. Those logs are comign.

Yayyyyyyy~~~ It workeddddddd~~~~~ I just need to copy/paste thelogs now. (please excuse typos, the remainging virus is making the screen type very slow and its screwing up y typing accuracey.)

OTL logfile created on: 5/11/2011 3:13:44 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Miranda Rian\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.81 Gb Total Space | 13.65 Gb Free Space | 19.28% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 888.73 Gb Free Space | 95.41% Space Free | Partition Type: NTFS
Drive I: | 1.86 Gb Total Space | 1.18 Gb Free Space | 63.23% Space Free | Partition Type: FAT
Drive J: | 74.51 Gb Total Space | 3.32 Gb Free Space | 4.45% Space Free | Partition Type: FAT32

Computer Name: D94LZ971 | User Name: Miranda Rian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
PRC - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () -- C:\WINDOWS\SYSTEM32\msywgahg.exe
PRC - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/22 23:56:40 | 000,687,448 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2011/03/21 17:10:00 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/11/04 02:14:38 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/04/01 05:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/21 17:59:00 | 000,143,360 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2004/09/01 03:06:18 | 000,147,456 | ---- | M] (A4Tech Co.,Ltd.) -- C:\Program Files\A4Tech\Mouse\Amoumain.exe


========== Modules (SafeList) ==========

MOD - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:12:08 | 000,266,240 | ---- | M] () -- C:\WINDOWS\iyocusura.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (npggsvc)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\msywgahg.exe -- (Network Adapter Events)
SRV - [2011/05/02 22:30:25 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\6to4v32.dll -- (6to4)
SRV - [2011/05/02 22:30:07 | 000,215,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\SYSTEM32\itlpfw32.dll -- (itlperf)
SRV - [2011/05/02 15:36:07 | 003,274,328 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_3f211bc.dll -- (Akamai)
SRV - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/04/01 01:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/06/18 21:59:12 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/02/10 12:42:32 | 000,303,176 | ---- | M] (ThinSoft Pte Ltd.) [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\BeTwinServiceXP.exe -- (TermService)
SRV - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


========== Driver Services (SafeList) ==========

DRV - [2011/04/01 01:11:10 | 004,333,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech Webcam 500(UVC)
DRV - [2011/04/01 01:09:48 | 000,291,424 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvrs.sys -- (LVRS)
DRV - [2011/03/19 13:46:03 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)
DRV - [2010/11/23 22:11:00 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 16:17:40 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/05/14 18:04:20 | 000,023,904 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - [2010/05/07 18:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2010/02/10 12:42:34 | 000,025,656 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\BeTwinVF.sys -- (BeTwinVideo)
DRV - [2010/02/10 12:42:32 | 000,015,040 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BeTwinSystem.sys -- (BeTwinSystem)
DRV - [2010/02/10 12:42:26 | 000,033,336 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINMF.sys -- (BeTwinMouse)
DRV - [2010/02/10 12:42:26 | 000,033,208 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINKF.sys -- (BeTwinKeyboard)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hamachi.sys -- (hamachi)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\winusb.sys -- (winusb)
DRV - [2005/01/04 14:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\npptNT2.sys -- (NPPTNT2)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004/08/25 14:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -- (b57w2k)
DRV - [2004/06/15 23:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2004/06/09 13:16:00 | 000,840,960 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P17.sys -- (P17)
DRV - [2004/03/05 23:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 23:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 23:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2003/09/22 09:48:00 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 09:47:00 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&fr=yie7c
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/11 18:08:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/11 18:09:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0ECA710F-47D0-4675-B53F-35385D5E8880}: C:\Documents and Settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880} [2011/05/02 20:12:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}: C:\Documents and Settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A} [2011/05/04 12:44:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:24:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:24:09 | 000,000,000 | ---D | M]

[2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions
[2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions\celtx@celtx.com
[2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions
[2011/03/31 22:36:11 | 000,000,000 | ---D | M] ("Malware Search") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
[2010/06/24 13:48:48 | 000,000,000 | ---D | M] ("Athena") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
[2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2009/12/21 01:47:02 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

Hosts file not found
O2 - BHO: (DivX Plus Web Player HTML5

The Extras log doesn't appear to have generated. That's just an uninstall list, right?

Hello.

• Download combofix from here
  Link 1
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Here's the ComboFix log Things seem to be working better now, Firefox recognized the fact that I had no default browser set and allowed me to do something about it. It did pop up with some errors about missing DLL files, but they all had the junk names so I think they were bad files that CF deleted and the virus was lookign for them. After checking the list of running processes, it looks like several virus processes have been killed for good but others have not. Advice on the next step?

ComboFix 11-05-11.01 - Miranda Rian 05/11/2011 16:28:01.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1557 [GMT -4:00]
Running from: c:\documents and settings\Miranda Rian\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Miranda Rian\Application Data\avdrn.dat
c:\documents and settings\Miranda Rian\Application Data\Sun\ixokfmgyl68.dll
c:\documents and settings\Miranda Rian\Application Data\Sun\mxd1.txt
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome.manifest
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\_cfg.js
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\overlay.xul
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\install.rdf
c:\documents and settings\Miranda Rian\Start Menu\Programs\Startup\rarliw32.exe
c:\documents and settings\Miranda Rian\WINDOWS
c:\documents and settings\Richard Rian\WINDOWS
C:\Recycle.Bin
c:\recycle.bin\config.bin
c:\recycle.bin\Recycle.Bin.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Glivua.exe
c:\windows\Glivub.exe
c:\windows\iyocusura.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\itlnfw32.dll
c:\windows\system32\itlpfw32.dll
c:\windows\system32\RGSS104E.dll
c:\windows\system32\RGSS104J.dll
c:\windows\TDPLAP.dll
F:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-07 15:05 . 2011-05-07 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-05-07 14:36 . 2010-02-10 16:42 303176 ----a-w- c:\windows\system32\BeTwinServiceXP.exe
2011-05-07 14:36 . 2010-02-10 16:42 33208 ----a-w- c:\windows\system32\drivers\BETWINKF.sys
2011-05-07 14:36 . 2010-02-10 16:42 81984 ----a-w- c:\windows\system32\BeTwinAudio.dll
2011-05-07 14:36 . 2006-03-17 03:35 249856 ----a-w- c:\windows\system32\SlsApi.dll
2011-05-07 14:36 . 2010-02-10 16:42 15040 ----a-w- c:\windows\system32\drivers\BeTwinSystem.sys
2011-05-07 14:36 . 2010-02-10 16:42 33336 ----a-w- c:\windows\system32\drivers\BETWINMF.sys
2011-05-07 14:36 . 2010-02-10 16:42 25656 ----a-w- c:\windows\system32\drivers\BETWINVF.sys
2011-05-07 14:36 . 2003-06-27 06:08 8704 ----a-w- c:\windows\system32\xtgina.dll
2011-05-07 14:28 . 2011-05-07 14:28 42016 ----a-w- c:\windows\system32\msywgahg.exe
2011-05-04 17:27 . 2011-05-04 17:28 -------- d-----w- c:\documents and settings\Administrator
2011-05-04 16:44 . 2011-05-04 16:44 -------- d-----w- c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}
2011-05-03 00:12 . 2011-05-11 18:40 0 ----a-w- c:\windows\Ffavunoli.bin
2011-04-30 08:51 . 2011-04-30 08:51 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-04-30 00:08 . 2011-04-30 00:08 -------- d-----w- c:\program files\Matroska Pack
2011-04-19 00:35 . 2011-04-19 00:35 -------- d-----w- c:\program files\iPod
2011-04-19 00:34 . 2011-04-19 00:35 -------- d-----w- c:\program files\iTunes
2011-04-19 00:30 . 2011-04-19 00:30 -------- d-----w- c:\program files\Bonjour
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe1_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-04-13 23:53 . 2011-04-13 23:54 -------- d-----w- c:\program files\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 05:11 . 2009-12-28 16:52 4333280 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-04-01 05:10 . 2009-12-28 16:52 539232 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-04-01 05:10 . 2009-12-28 16:52 543328 ----a-w- c:\windows\system32\LVUI2.dll
2011-04-01 05:09 . 2009-12-28 16:52 291424 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-04-01 05:08 . 2011-04-01 05:08 195168 ----a-w- c:\windows\system32\lvci13251014.dll
2011-04-01 05:08 . 2009-12-28 16:52 301664 ----a-w- c:\windows\system32\lvcodec2.dll
2011-04-01 05:07 . 2010-05-14 21:56 10877272 ----a-w- c:\windows\system32\LogiDPP.dll
2011-04-01 05:07 . 2010-05-14 21:56 102744 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-04-01 05:06 . 2010-05-14 21:55 331608 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-04-01 04:56 . 2009-12-28 16:52 39318 ----a-w- c:\windows\system32\Repository.reg
2011-03-23 03:58 . 2011-03-23 03:58 14168 ----a-w- c:\windows\system32\drivers\iKeyLFT2.dll
2011-03-19 17:46 . 2010-04-10 19:29 137656 -c--a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-09 16:11 . 2010-03-09 15:58 939139876 ----a-w- c:\program files\FEZsetup_2010-02-26.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"WheelMouse"="c:\progra~1\A4Tech\Mouse\Amoumain.exe" [2004-09-01 147456]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"12933:TCP"= 12933:TCP:BitComet 12933 TCP
"12933:UDP"= 12933:UDP:BitComet 12933 UDP
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [6/5/2009 9:04 PM 691696]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/10/2010 3:29 PM 136360]
R2 Network Adapter Events;Network Adapter Events;c:\windows\SYSTEM32\msywgahg.exe [5/7/2011 10:28 AM 42016]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
S0 BeTwinVideo;BeTwinVideo;c:\windows\SYSTEM32\DRIVERS\BETWINVF.sys [5/7/2011 10:36 AM 25656]
S1 BeTwinSystem;BeTwinSystem;c:\windows\SYSTEM32\DRIVERS\BeTwinSystem.sys [5/7/2011 10:36 AM 15040]
S3 BeTwinKeyboard;BeTwinKeyboard;c:\windows\SYSTEM32\DRIVERS\BETWINKF.sys [5/7/2011 10:36 AM 33208]
S3 BeTwinMouse;BeTwinMouse;c:\windows\SYSTEM32\DRIVERS\BETWINMF.sys [5/7/2011 10:36 AM 33336]
S3 dump_wmimmc;dump_wmimmc;\??\f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys --> f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Athena: {405e2f6c-b9b8-4515-a69c-e375d7156c86} - %profile%\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\hok.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Steam - i:\steam\Steam.exe
HKCU-Run-Dloqa - c:\windows\TDPLAP.dll
HKCU-Run-4Y3Y0C3AUYVV4Y9GCYBOPHFEUNNFBI - c:\recycle.bin\Recycle.Bin.exe
HKLM-Run-QuickTime Task - i:\quicktime\QTTask.exe
HKLM-Run-Ywokaqe - c:\windows\iyocusura.dll
Notify-itlntfy - itlnfw32.dll
AddRemove-Champions Online - f:\cryptic studios\Uninstall Champions Online.exe
AddRemove-Guild Wars - i:\guild wars\Gw.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Shin Megami Tensei: Imagine Online - f:\aeriagames\MegaTen\Uninst.exe
AddRemove-Steam App 7650 - i:\steam\steam.exe
AddRemove-Steam App 7660 - i:\steam\steam.exe
AddRemove-Steam App 7730 - i:\steam\steam.exe
AddRemove-Steam App 7760 - i:\steam\steam.exe
AddRemove-Steam App 7770 - i:\steam\steam.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{9C244239-ED8E-40f1-937F-51C706CD2160} - i:\ea games\The Sims 2 Deluxe\EAUninstall.exe
AddRemove-The Twilight Zone - i:\the twilight zone\Uninstal.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 16:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\xtgina.dll
c:\windows\system32\WINSCARD.DLL
.
- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-05-11 16:51:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 20:51
ComboFix2.txt 2010-08-06 23:36
.
Pre-Run: 14,587,121,664 bytes free
Post-Run: 16,250,331,136 bytes free
.
- - End Of File - - 602E313A295602BB876EC9FBEA0F1416

Hello.
2 things to do here.

Please download exeHelper from one of the two links.
Link 1
Link 2

• Double-click on exeHelper.com or exeHelper.scr to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
  

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   Code:

   
File::
c:\windows\system32\msywgahg.exe
c:\windows\Ffavunoli.bin

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"itlsvc"=-

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

The exeHelper log:

exeHelper by Raktor
Build 20100414
Run at 18:14:21 on 05/11/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Standing by for Combofix log.