[Rorschach112]

hi

Download TDSSKiller and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in your C:\ drive
• Please post the contents of that log

Please download Dr.Web CureIt . Save it to your desktop:

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
• This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
• Please post the Dr.Web.txt report in your next reply
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

[Advertisements]

Hi,

TDSSKiller log is below. Dr.Web CureIt did not find any viruses. When I went went to click on file, the Save Report List was not "clickable" so do not have a log ...

23:30:32:586 4380 TDSS rootkit removing tool 2.2.0 Jan 11 2010 08:45:19
23:30:32:586 4380 ================================================================================
23:30:32:586 4380 SystemInfo:

23:30:32:586 4380 OS Version: 6.0.6001 ServicePack: 1.0
23:30:32:586 4380 Product type: Workstation
23:30:32:586 4380 ComputerName: ROBERT-PC
23:30:32:586 4380 UserName: Robert
23:30:32:586 4380 Windows directory: C:\Windows
23:30:32:586 4380 Processor architecture: Intel x86
23:30:32:586 4380 Number of processors: 2
23:30:32:586 4380 Page size: 0x1000
23:30:32:602 4380 Boot type: Normal boot
23:30:32:602 4380 ================================================================================
23:30:32:602 4380 UnloadDriverW: NtUnloadDriver error 2
23:30:32:602 4380 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:30:32:602 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:30:33:631 4380 UtilityInit: KLMD drop and load success
23:30:33:631 4380 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
23:30:33:631 4380 UtilityInit: KLMD open success
23:30:33:631 4380 UtilityInit: Initialize success
23:30:33:631 4380
23:30:33:631 4380 Scanning Services ...
23:30:33:631 4380 CreateRegParser: Registry parser init started
23:30:33:631 4380 CreateRegParser: DisableWow64Redirection error
23:30:33:631 4380 wfopen_ex: Trying to open file C:\Windows\system32\config\system
23:30:33:631 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
23:30:33:631 4380 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:30:33:631 4380 wfopen_ex: Trying to KLMD file open
23:30:33:631 4380 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
23:30:33:631 4380 wfopen_ex: File opened ok (Flags 2)
23:30:33:647 4380 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 15C6F80
23:30:33:647 4380 wfopen_ex: Trying to open file C:\Windows\system32\config\software
23:30:33:647 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
23:30:33:647 4380 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:30:33:647 4380 wfopen_ex: Trying to KLMD file open
23:30:33:647 4380 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
23:30:33:647 4380 wfopen_ex: File opened ok (Flags 2)
23:30:33:647 4380 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 15C6FA8
23:30:33:647 4380 CreateRegParser: EnableWow64Redirection error
23:30:33:647 4380 CreateRegParser: RegParser init completed
23:30:35:020 4380 GetAdvancedServicesInfo: Raw services enum returned 495 services
23:30:35:035 4380 fclose_ex: Trying to close file C:\Windows\system32\config\system
23:30:35:035 4380 fclose_ex: Trying to close file C:\Windows\system32\config\software
23:30:35:035 4380
23:30:35:035 4380 Scanning Kernel memory ...
23:30:35:035 4380 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:30:35:035 4380 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86B45228
23:30:35:035 4380 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
23:30:35:035 4380
23:30:35:035 4380 DetectCureTDL3: DEVICE_OBJECT: 86CA1398
23:30:35:035 4380 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86CA1398
23:30:35:035 4380 DetectCureTDL3: DEVICE_OBJECT: 86B3BC48
23:30:35:035 4380 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86B3BC48
23:30:35:035 4380 DetectCureTDL3: DEVICE_OBJECT: 86B39BA0
23:30:35:035 4380 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86B39BA0
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B39BA0[0x38]
23:30:35:035 4380 DetectCureTDL3: DRIVER_OBJECT: 879A2CF0
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x879A2CF0[0xA8]
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B3A028[0x38]
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x85D8C660[0xA8]
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86AFBC90[0x1A]
23:30:35:035 4380 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
23:30:35:035 4380 DetectCureTDL3: IrpHandler (0) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (1) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (2) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (3) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (4) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (5) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (6) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (7) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (8) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (9) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (10) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (11) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (12) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (13) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (14) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (15) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (16) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (17) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (18) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (19) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (20) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (21) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (22) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (23) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (24) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (25) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (26) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: All IRP handlers pointed to one addr: 86B4D618
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B4D618[0x400]
23:30:35:035 4380 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
23:30:35:035 4380 Driver "atapi" Irp handler infected by TDSS rootkit ... 23:30:35:035 4380 KLMD_WriteMem: Trying to WriteMemory 0x86B4D67D[0xD]
23:30:35:035 4380 cured
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B4D4BF[0x400]
23:30:35:035 4380 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
23:30:35:035 4380 Driver "atapi" StartIo handler infected by TDSS rootkit ... 23:30:35:035 4380 TDL3_StartIoHookCure: Number of patches 1
23:30:35:035 4380 KLMD_WriteMem: Trying to WriteMemory 0x86B4D5B6[0x6]
23:30:35:035 4380 cured
23:30:35:035 4380 TDL3_FileDetect: Processing driver: atapi
23:30:35:035 4380 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:30:35:035 4380 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
23:30:35:051 4380 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
23:30:35:051 4380 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 23:30:35:066 4380 TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:30:37:141 4380 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys:21560, checking..
23:30:37:188 4380 ValidateDriverFile: Stage 1 passed
23:30:37:188 4380 ValidateDriverFile: Stage 2 passed
23:30:37:375 4380 DigitalSignVerifyByHandle: Embedded DS result: 00000000
23:30:37:375 4380 ValidateDriverFile: Stage 3 passed
23:30:37:375 4380 FileCallback: File validated successfully, restore information prepared
23:30:41:572 4380 FindDriverFileBackup: Backup copy found in DriverStore
23:30:41:572 4380 TDL3_FileCure: Backup copy found, using it..
23:30:41:572 4380 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tsk352A.tmp
23:30:41:930 4380 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk352A.tmp, system32\drivers\atapi.sys)
23:30:41:930 4380 TDL3_FileCure: KLMD jobs schedule success
23:30:41:930 4380 will be cured on next reboot
23:30:41:930 4380 UtilityBootReinit: Reboot required for cure complete..
23:30:41:930 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
23:30:41:962 4380 UtilityBootReinit: KLMD drop success
23:30:41:962 4380 KLMD_ApplyPendList: Pending buffer(4600_2E9C, 616) dropped successfully
23:30:41:962 4380 UtilityBootReinit: Cure on reboot scheduled successfully
23:30:41:962 4380
23:30:41:962 4380 Completed
23:30:41:962 4380
23:30:41:962 4380 Results:
23:30:41:962 4380 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
23:30:41:962 4380 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:30:41:962 4380 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:30:41:962 4380
23:30:41:962 4380 UnloadDriverW: NtUnloadDriver error 1
23:30:41:962 4380 KLMD_Unload: UnloadDriverW(klmd21) error 1
23:30:41:962 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:30:41:962 4380 UtilityDeinit: KLMD(ARK) unloaded successfully

[RobMPrager]

Hi,

TDSSKiller log is below. Dr.Web CureIt did not find any viruses. When I went went to click on file, the Save Report List was not "clickable" so do not have a log ...

23:30:32:586 4380 TDSS rootkit removing tool 2.2.0 Jan 11 2010 08:45:19
23:30:32:586 4380 ================================================================================
23:30:32:586 4380 SystemInfo:

23:30:32:586 4380 OS Version: 6.0.6001 ServicePack: 1.0
23:30:32:586 4380 Product type: Workstation
23:30:32:586 4380 ComputerName: ROBERT-PC
23:30:32:586 4380 UserName: Robert
23:30:32:586 4380 Windows directory: C:\Windows
23:30:32:586 4380 Processor architecture: Intel x86
23:30:32:586 4380 Number of processors: 2
23:30:32:586 4380 Page size: 0x1000
23:30:32:602 4380 Boot type: Normal boot
23:30:32:602 4380 ================================================================================
23:30:32:602 4380 UnloadDriverW: NtUnloadDriver error 2
23:30:32:602 4380 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:30:32:602 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:30:33:631 4380 UtilityInit: KLMD drop and load success
23:30:33:631 4380 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
23:30:33:631 4380 UtilityInit: KLMD open success
23:30:33:631 4380 UtilityInit: Initialize success
23:30:33:631 4380
23:30:33:631 4380 Scanning Services ...
23:30:33:631 4380 CreateRegParser: Registry parser init started
23:30:33:631 4380 CreateRegParser: DisableWow64Redirection error
23:30:33:631 4380 wfopen_ex: Trying to open file C:\Windows\system32\config\system
23:30:33:631 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
23:30:33:631 4380 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:30:33:631 4380 wfopen_ex: Trying to KLMD file open
23:30:33:631 4380 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
23:30:33:631 4380 wfopen_ex: File opened ok (Flags 2)
23:30:33:647 4380 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 15C6F80
23:30:33:647 4380 wfopen_ex: Trying to open file C:\Windows\system32\config\software
23:30:33:647 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
23:30:33:647 4380 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:30:33:647 4380 wfopen_ex: Trying to KLMD file open
23:30:33:647 4380 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
23:30:33:647 4380 wfopen_ex: File opened ok (Flags 2)
23:30:33:647 4380 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 15C6FA8
23:30:33:647 4380 CreateRegParser: EnableWow64Redirection error
23:30:33:647 4380 CreateRegParser: RegParser init completed
23:30:35:020 4380 GetAdvancedServicesInfo: Raw services enum returned 495 services
23:30:35:035 4380 fclose_ex: Trying to close file C:\Windows\system32\config\system
23:30:35:035 4380 fclose_ex: Trying to close file C:\Windows\system32\config\software
23:30:35:035 4380
23:30:35:035 4380 Scanning Kernel memory ...
23:30:35:035 4380 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:30:35:035 4380 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86B45228
23:30:35:035 4380 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
23:30:35:035 4380
23:30:35:035 4380 DetectCureTDL3: DEVICE_OBJECT: 86CA1398
23:30:35:035 4380 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86CA1398
23:30:35:035 4380 DetectCureTDL3: DEVICE_OBJECT: 86B3BC48
23:30:35:035 4380 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86B3BC48
23:30:35:035 4380 DetectCureTDL3: DEVICE_OBJECT: 86B39BA0
23:30:35:035 4380 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86B39BA0
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B39BA0[0x38]
23:30:35:035 4380 DetectCureTDL3: DRIVER_OBJECT: 879A2CF0
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x879A2CF0[0xA8]
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B3A028[0x38]
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x85D8C660[0xA8]
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86AFBC90[0x1A]
23:30:35:035 4380 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
23:30:35:035 4380 DetectCureTDL3: IrpHandler (0) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (1) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (2) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (3) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (4) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (5) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (6) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (7) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (8) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (9) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (10) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (11) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (12) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (13) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (14) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (15) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (16) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (17) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (18) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (19) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (20) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (21) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (22) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (23) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (24) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (25) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: IrpHandler (26) addr: 86B4D618
23:30:35:035 4380 DetectCureTDL3: All IRP handlers pointed to one addr: 86B4D618
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B4D618[0x400]
23:30:35:035 4380 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
23:30:35:035 4380 Driver "atapi" Irp handler infected by TDSS rootkit ... 23:30:35:035 4380 KLMD_WriteMem: Trying to WriteMemory 0x86B4D67D[0xD]
23:30:35:035 4380 cured
23:30:35:035 4380 KLMD_ReadMem: Trying to ReadMemory 0x86B4D4BF[0x400]
23:30:35:035 4380 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
23:30:35:035 4380 Driver "atapi" StartIo handler infected by TDSS rootkit ... 23:30:35:035 4380 TDL3_StartIoHookCure: Number of patches 1
23:30:35:035 4380 KLMD_WriteMem: Trying to WriteMemory 0x86B4D5B6[0x6]
23:30:35:035 4380 cured
23:30:35:035 4380 TDL3_FileDetect: Processing driver: atapi
23:30:35:035 4380 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:30:35:035 4380 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
23:30:35:051 4380 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
23:30:35:051 4380 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 23:30:35:066 4380 TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:30:37:141 4380 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys:21560, checking..
23:30:37:188 4380 ValidateDriverFile: Stage 1 passed
23:30:37:188 4380 ValidateDriverFile: Stage 2 passed
23:30:37:375 4380 DigitalSignVerifyByHandle: Embedded DS result: 00000000
23:30:37:375 4380 ValidateDriverFile: Stage 3 passed
23:30:37:375 4380 FileCallback: File validated successfully, restore information prepared
23:30:41:572 4380 FindDriverFileBackup: Backup copy found in DriverStore
23:30:41:572 4380 TDL3_FileCure: Backup copy found, using it..
23:30:41:572 4380 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tsk352A.tmp
23:30:41:930 4380 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk352A.tmp, system32\drivers\atapi.sys)
23:30:41:930 4380 TDL3_FileCure: KLMD jobs schedule success
23:30:41:930 4380 will be cured on next reboot
23:30:41:930 4380 UtilityBootReinit: Reboot required for cure complete..
23:30:41:930 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
23:30:41:962 4380 UtilityBootReinit: KLMD drop success
23:30:41:962 4380 KLMD_ApplyPendList: Pending buffer(4600_2E9C, 616) dropped successfully
23:30:41:962 4380 UtilityBootReinit: Cure on reboot scheduled successfully
23:30:41:962 4380
23:30:41:962 4380 Completed
23:30:41:962 4380
23:30:41:962 4380 Results:
23:30:41:962 4380 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
23:30:41:962 4380 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:30:41:962 4380 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:30:41:962 4380
23:30:41:962 4380 UnloadDriverW: NtUnloadDriver error 1
23:30:41:962 4380 KLMD_Unload: UnloadDriverW(klmd21) error 1
23:30:41:962 4380 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:30:41:962 4380 UtilityDeinit: KLMD(ARK) unloaded successfully

[Rorschach112]

any redirects ?

[RobMPrager]

They have gone Thanks so much! Should I reinstall Firefox and Chrome now? I uninstalled them before I got on to this forum by myself in an attempt to try and get rid of the virus.

Do you think my current security programmes are good enough going forward - SpyBot, Adaware, Malwarebytes and G Data Anti Virus?

Lastly, what was the name of the malware that was causing the redirects?

[Rorschach112]

its called TDSS

one final scan

[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[RobMPrager]

OTL logfile created on: 12/01/2010 14:11:27 - Run 3
OTL by OldTimer - Version 3.1.22.0 Folder = c:\Users\Robert\Downloads
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18865)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 72.44 Gb Total Space | 16.55 Gb Free Space | 22.84% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.40 Gb Free Space | 70.12% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROBERT-PC
Current User Name: Robert
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/09 18:26:49 | 00,543,232 | ---- | M] (OldTimer Tools) -- c:\Users\Robert\Downloads\OTL.exe
PRC - [2009/12/10 08:32:39 | 01,053,768 | ---- | M] (G Data Software AG) -- C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
PRC - [2009/11/26 11:50:52 | 00,302,152 | ---- | M] (G Data Software AG) -- C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe
PRC - [2009/11/25 01:07:32 | 01,251,488 | ---- | M] (G Data Software AG) -- C:\Program Files\G Data\TotalCare\AVK\AVKWCtl.exe
PRC - [2009/11/25 01:05:05 | 01,547,104 | ---- | M] (G Data Software AG) -- C:\Program Files\G Data\TotalCare\Firewall\GDFwSvc.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/09/26 23:16:11 | 00,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/09/26 23:16:10 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/09/24 08:51:06 | 01,123,912 | ---- | M] (G DATA Software AG) -- C:\Program Files\G Data\TotalCare\Firewall\GDFirewallTray.exe
PRC - [2009/09/07 07:03:52 | 00,922,696 | ---- | M] (G Data Software AG) -- C:\Program Files\G Data\TotalCare\AVKTray\AVKTray.exe
PRC - [2009/08/12 05:46:05 | 00,397,896 | ---- | M] (G Data Software AG) -- C:\Program Files\G Data\TotalCare\AVK\AVKService.exe
PRC - [2009/07/25 04:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/20 12:30:50 | 00,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/15 13:06:19 | 00,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009/07/10 12:42:32 | 00,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\logishrd\KHAL2\KHALMNPR.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/08 09:35:50 | 02,780,432 | ---- | M] () -- C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
PRC - [2009/05/08 09:34:08 | 00,559,888 | ---- | M] () -- C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
PRC - [2009/04/30 15:01:10 | 00,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/12/23 12:44:46 | 00,185,640 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/29 06:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/07/02 16:16:20 | 00,393,216 | ---- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
PRC - [2008/01/18 23:33:40 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/18 23:33:34 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2007/02/08 05:11:04 | 00,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe
PRC - [2006/12/19 13:25:02 | 00,222,088 | R--- | M] () -- C:\Program Files\Dell\Dell Laser Printer 1110\LocalSM\jbDetect.exe
PRC - [2006/11/21 16:08:58 | 00,813,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2006/11/15 13:16:00 | 01,298,432 | ---- | M] (Cambridge Silicon Radio) -- C:\Program Files\CSR\Vista Profile Pack\BtHidUi.exe
PRC - [2006/11/15 13:16:00 | 01,212,416 | ---- | M] (Cambridge Silicon Radio) -- C:\Program Files\CSR\Vista Profile Pack\HidSw.exe
PRC - [2006/11/15 03:27:42 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
PRC - [2006/11/15 03:27:32 | 00,151,552 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2006/11/15 03:27:30 | 00,042,544 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2006/11/15 03:27:30 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2006/11/11 23:10:40 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe
PRC - [2006/11/08 18:47:14 | 01,066,528 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/11/08 18:45:12 | 00,378,400 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/11/07 16:26:52 | 00,127,488 | ---- | M] (CSR, plc) -- C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
PRC - [2006/10/20 16:23:38 | 00,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/09 18:26:49 | 00,543,232 | ---- | M] (OldTimer Tools) -- c:\Users\Robert\Downloads\OTL.exe
MOD - [2008/01/18 23:26:36 | 01,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/10 08:32:39 | 01,053,768 | ---- | M] (G Data Software AG) [Auto | Running] -- C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe -- (AVKProxy)
SRV - [2009/11/26 11:50:52 | 00,302,152 | ---- | M] (G Data Software AG) [On_Demand | Running] -- C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe -- (GDScan)
SRV - [2009/11/25 01:07:32 | 01,251,488 | ---- | M] (G Data Software AG) [Auto | Running] -- C:\Program Files\G Data\TotalCare\AVK\AVKWCtl.exe -- (AVKWCtl)
SRV - [2009/11/25 01:05:05 | 01,547,104 | ---- | M] (G Data Software AG) [On_Demand | Running] -- C:\Program Files\G Data\TotalCare\Firewall\GDFwSvc.exe -- (GDFwSvc)
SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/21 10:28:04 | 00,865,352 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalCare\AVKBackup\AVKBackupService.exe -- (G Data Backup Service)
SRV - [2009/09/26 23:16:10 | 01,028,432 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/08/24 12:16:12 | 00,378,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2009/08/12 05:46:05 | 00,397,896 | ---- | M] (G Data Software AG) [Auto | Running] -- C:\Program Files\G Data\TotalCare\AVK\AVKService.exe -- (AVKService)
SRV - [2009/07/20 12:28:10 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/15 13:06:19 | 00,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-060409-093314)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/04/30 15:01:10 | 00,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2009/04/20 01:44:04 | 00,918,600 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalCare\AVKTuner\AVKTunerService.exe -- (G Data Tuner Service)
SRV - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/12/23 12:44:46 | 00,185,640 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe -- (TeamViewer4)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/01/18 23:38:26 | 00,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/11/11 23:10:40 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2006/11/08 18:45:12 | 00,378,400 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc)
SRV - [2006/11/07 16:26:52 | 00,127,488 | ---- | M] (CSR, plc) [Auto | Running] -- C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe -- (BthFilterHelper)
SRV - [2006/11/07 12:27:02 | 00,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/09/14 13:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2006/05/11 17:15:50 | 00,052,736 | ---- | M] (Hewlett-Packard) [Auto | Stopped] -- C:\Windows\System32\HPZIPM12.DLL -- (Pml Driver HPZ12)
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.live.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk"
FF - prefs.js..network.proxy.backup.ftp: "194.72.50.238"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "194.72.50.238"
FF - prefs.js..network.proxy.backup.gopher_port: 80
FF - prefs.js..network.proxy.backup.socks: "194.72.50.238"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "194.72.50.238"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "194.72.50.238"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "194.72.50.238"
FF - prefs.js..network.proxy.gopher_port: 80
FF - prefs.js..network.proxy.http: "194.72.50.238"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.no_proxies_on: "localhost, "
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "194.72.50.238"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "194.72.50.238"
FF - prefs.js..network.proxy.ssl_port: 80

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird 2\components [2009/10/25 22:21:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird 2\plugins

[2008/08/30 16:29:13 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Mozilla\Extensions
[2010/01/01 18:25:17 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\lz0clfi1.default\extensions
[2007/09/20 20:07:19 | 00,002,316 | ---- | M] () -- C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\lz0clfi1.default\searchplugins\dogpile.xml
[2010/01/07 23:28:10 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/01 00:29:47 | 00,284,248 | ---- | M] (Musicnotes, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll
[2007/12/14 23:00:12 | 00,000,897 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\livecom.png
[2007/12/14 23:00:12 | 00,001,015 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\livecom.src

O1 HOSTS File: (806 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\TotalCare\Webfilter\AvkWebIE.dll (G Data Software AG)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\TotalCare\Webfilter\AvkWebIE.dll (G Data Software AG)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BtHidUi] C:\Program Files\CSR\Vista Profile Pack\BtHidUi.exe (Cambridge Silicon Radio)
O4 - HKLM..\Run: [Dell Laser Printer 1110 SM_JB] C:\Program Files\Dell\Dell Laser Printer 1110\LocalSM\jbDetect.exe ()
O4 - HKLM..\Run: [G DATA AntiVirus Trayapplication] C:\Program Files\G Data\TotalCare\AVKTray\AVKTray.exe (G Data Software AG)
O4 - HKLM..\Run: [GDFirewallTray] C:\Program Files\G Data\TotalCare\Firewall\GDFirewallTray.exe (G DATA Software AG)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 7\MmReminderService.exe (Mindjet)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: sch.uk ([folders.kingston-grammar.surrey] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.micr...tualEarth3D.cab (Reg Error: Key error.)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.euro....r/SysProExe.CAB (WMI Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/01/11 23:40:17 | 00,000,000 | ---D | C] -- C:\Users\Robert\DoctorWeb
[2010/01/11 23:30:07 | 00,175,880 | ---- | C] (Kaspersky Lab) -- C:\Users\Robert\Desktop\TDSSKiller.exe
[2010/01/11 23:28:42 | 00,000,000 | ---D | C] -- C:\Users\Robert\Desktop\Reports
[2010/01/11 00:28:20 | 00,000,000 | ---D | C] -- C:\Windows\Sun
[2010/01/10 22:51:22 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/01/10 22:49:08 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2010/01/10 22:35:56 | 00,000,000 | ---D | C] -- C:\ComboFix
[2010/01/10 22:34:24 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/01/10 22:34:23 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/01/10 21:46:02 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/01/10 21:46:02 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/01/10 21:46:02 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/01/10 21:44:32 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/10 20:45:03 | 00,000,000 | ---D | C] -- C:\Program Files\Navilog1
[2010/01/10 20:32:06 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/09 13:04:51 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/01/09 01:06:03 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/01/09 01:05:34 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/08 23:17:21 | 00,028,616 | ---- | C] (G Data Software AG) -- C:\Windows\System32\drivers\GDBehave.sys
[2010/01/08 16:40:26 | 00,029,128 | ---- | C] (G Data Software) -- C:\Windows\System32\drivers\GRD.sys
[2010/01/08 00:42:52 | 00,055,624 | ---- | C] (G Data Software AG) -- C:\Windows\System32\drivers\MiniIcpt.sys
[2010/01/08 00:42:16 | 00,047,560 | ---- | C] (G DATA Software AG) -- C:\Windows\System32\drivers\PktIcpt.sys
[2010/01/08 00:42:05 | 00,035,272 | ---- | C] (G Data Software AG) -- C:\Windows\System32\drivers\HookCentre.sys
[2010/01/08 00:41:10 | 00,040,904 | ---- | C] (G DATA Software AG) -- C:\Windows\System32\drivers\gdwfpcd32.sys
[2010/01/08 00:40:37 | 00,000,000 | ---D | C] -- C:\#GDATA.Trash.Store#
[2010/01/08 00:40:11 | 00,000,000 | ---D | C] -- C:\ProgramData\G DATA
[2010/01/08 00:40:11 | 00,000,000 | ---D | C] -- C:\Program Files\G Data
[2010/01/08 00:40:11 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\G DATA
[2010/01/08 00:35:45 | 00,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Downloaded Installations
[2010/01/07 23:57:25 | 00,000,000 | ---D | C] -- C:\ProgramData\Citrix
[2010/01/07 23:53:54 | 00,000,000 | ---D | C] -- C:\Program Files\Citrix
[2010/01/07 23:53:47 | 00,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Citrix
[2010/01/06 21:10:53 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/06 19:16:51 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/01/06 19:16:45 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/01/06 18:34:36 | 00,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/01/02 18:10:44 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner

========== Files - Modified Within 14 Days ==========

[2010/01/12 14:20:54 | 10,747,904 | -HS- | M] () -- C:\Users\Robert\ntuser.dat
[2010/01/12 14:11:00 | 00,035,416 | ---- | M] () -- C:\Users\Robert\AppData\Roaming\nvModes.dat
[2010/01/12 14:11:00 | 00,035,416 | ---- | M] () -- C:\Users\Robert\AppData\Roaming\nvModes.001
[2010/01/12 14:10:48 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/12 12:02:52 | 00,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{3AFCC132-086D-419A-84D7-06785008BF99}.job
[2010/01/12 11:59:10 | 00,003,680 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/12 11:59:09 | 00,003,680 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/12 11:59:09 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/12 00:59:41 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/01/12 00:59:38 | 00,524,288 | -HS- | M] () -- C:\Users\Robert\ntuser.dat{b867c492-f0bb-11de-bcae-00188bb8da73}.TMContainer00000000000000000001.regtrans-ms
[2010/01/12 00:59:38 | 00,065,536 | -HS- | M] () -- C:\Users\Robert\ntuser.dat{b867c492-f0bb-11de-bcae-00188bb8da73}.TM.blf
[2010/01/12 00:30:48 | 02,186,645 | -H-- | M] () -- C:\Users\Robert\AppData\Local\IconCache.db
[2010/01/12 00:25:21 | 00,000,806 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/01/11 23:38:18 | 27,292,720 | ---- | M] () -- C:\Users\Robert\Desktop\drweb-cureit.exe
[2010/01/11 23:29:55 | 00,152,203 | ---- | M] () -- C:\Users\Robert\Desktop\tdsskiller.zip
[2010/01/11 17:14:13 | 00,707,452 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/01/11 17:14:13 | 00,611,610 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/01/11 17:14:13 | 00,110,386 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/01/11 14:40:38 | 25,658,9363 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/01/11 08:48:18 | 00,175,880 | ---- | M] (Kaspersky Lab) -- C:\Users\Robert\Desktop\TDSSKiller.exe
[2010/01/10 22:49:34 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/01/10 21:40:42 | 03,819,182 | R--- | M] () -- C:\Users\Robert\Desktop\ComboFix.exe
[2010/01/10 20:44:25 | 00,228,116 | ---- | M] () -- C:\Users\Robert\Desktop\Navilog1.exe
[2010/01/09 01:05:35 | 00,000,735 | ---- | M] () -- C:\Users\Robert\Desktop\NTREGOPT.lnk
[2010/01/09 01:05:35 | 00,000,716 | ---- | M] () -- C:\Users\Robert\Desktop\ERUNT.lnk
[2010/01/09 00:52:05 | 00,002,519 | ---- | M] () -- C:\Users\Robert\Desktop\HiJackThis.lnk
[2010/01/09 00:51:08 | 00,002,440 | ---- | M] () -- C:\Users\Robert\Documents\cc_20100109_005054.reg
[2010/01/08 23:20:37 | 00,055,624 | ---- | M] (G Data Software AG) -- C:\Windows\System32\drivers\MiniIcpt.sys
[2010/01/08 23:19:28 | 00,047,560 | ---- | M] (G DATA Software AG) -- C:\Windows\System32\drivers\PktIcpt.sys
[2010/01/08 23:19:18 | 00,035,272 | ---- | M] (G Data Software AG) -- C:\Windows\System32\drivers\HookCentre.sys
[2010/01/08 23:17:32 | 00,040,904 | ---- | M] (G DATA Software AG) -- C:\Windows\System32\drivers\gdwfpcd32.sys
[2010/01/08 23:17:21 | 00,028,616 | ---- | M] (G Data Software AG) -- C:\Windows\System32\drivers\GDBehave.sys
[2010/01/08 16:40:26 | 00,029,128 | ---- | M] (G Data Software) -- C:\Windows\System32\drivers\GRD.sys
[2010/01/08 00:42:06 | 00,001,870 | ---- | M] () -- C:\Users\Public\Desktop\G Data TotalCare.lnk
[2010/01/07 23:53:47 | 00,061,224 | ---- | M] () -- C:\Users\Robert\GoToAssistDownloadHelper.exe
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/01/06 19:16:54 | 00,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 18:36:18 | 00,384,062 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100106-210126.backup
[2010/01/06 00:22:19 | 00,007,484 | ---- | M] () -- C:\Users\Robert\AppData\Local\d3d9caps.dat
[2010/01/05 22:54:55 | 00,096,405 | ---- | M] () -- C:\Users\Robert\Documents\Robert Prager - CV.pdf
[2010/01/04 22:08:21 | 00,000,472 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/01/03 23:20:01 | 00,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2010/01/02 18:10:45 | 00,001,672 | ---- | M] () -- C:\Users\Robert\Desktop\CCleaner.lnk
[2010/01/02 16:14:59 | 00,001,057 | ---- | M] () -- C:\Users\Robert\Desktop\Spybot - Search & Destroy.lnk

========== Files Created - No Company Name ==========

[2010/01/11 23:38:18 | 27,292,720 | ---- | C] () -- C:\Users\Robert\Desktop\drweb-cureit.exe
[2010/01/11 23:29:52 | 00,152,203 | ---- | C] () -- C:\Users\Robert\Desktop\tdsskiller.zip
[2010/01/11 14:36:43 | 00,293,376 | ---- | C] () -- C:\Users\Robert\Desktop\gmer.exe
[2010/01/10 21:46:02 | 00,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/01/10 21:46:02 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/01/10 21:46:02 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/01/10 21:46:02 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/01/10 21:46:02 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/01/10 21:40:36 | 03,819,182 | R--- | C] () -- C:\Users\Robert\Desktop\ComboFix.exe
[2010/01/10 20:44:12 | 00,228,116 | ---- | C] () -- C:\Users\Robert\Desktop\Navilog1.exe
[2010/01/09 13:04:29 | 25,658,9363 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/01/09 01:05:35 | 00,000,735 | ---- | C] () -- C:\Users\Robert\Desktop\NTREGOPT.lnk
[2010/01/09 01:05:35 | 00,000,716 | ---- | C] () -- C:\Users\Robert\Desktop\ERUNT.lnk
[2010/01/09 00:50:57 | 00,002,440 | ---- | C] () -- C:\Users\Robert\Documents\cc_20100109_005054.reg
[2010/01/08 00:42:06 | 00,001,870 | ---- | C] () -- C:\Users\Public\Desktop\G Data TotalCare.lnk
[2010/01/07 23:53:46 | 00,061,224 | ---- | C] () -- C:\Users\Robert\GoToAssistDownloadHelper.exe
[2010/01/06 21:11:06 | 00,002,519 | ---- | C] () -- C:\Users\Robert\Desktop\HiJackThis.lnk
[2010/01/06 19:16:54 | 00,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/05 22:54:55 | 00,096,405 | ---- | C] () -- C:\Users\Robert\Documents\Robert Prager - CV.pdf
[2010/01/02 18:10:45 | 00,001,672 | ---- | C] () -- C:\Users\Robert\Desktop\CCleaner.lnk
[2010/01/02 16:14:59 | 00,001,057 | ---- | C] () -- C:\Users\Robert\Desktop\Spybot - Search & Destroy.lnk
[2009/09/04 19:07:56 | 00,035,416 | ---- | C] () -- C:\Users\Robert\AppData\Roaming\nvModes.001
[2009/09/03 22:55:13 | 00,035,416 | ---- | C] () -- C:\Users\Robert\AppData\Roaming\nvModes.dat
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/05/08 09:13:04 | 00,013,584 | ---- | C] () -- C:\Windows\System32\drivers\iKeyLFT2.dll
[2009/04/30 21:39:36 | 00,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2009/04/30 15:00:12 | 00,025,624 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2009/02/06 16:13:16 | 00,000,952 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2009/02/06 16:13:16 | 00,000,088 | RHS- | C] () -- C:\ProgramData\38231B8838.sys
[2009/01/21 19:44:23 | 00,000,089 | ---- | C] () -- C:\Users\Robert\AppData\Local\eggyq.bat
[2009/01/07 11:40:38 | 00,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2008/11/29 21:28:32 | 00,000,091 | ---- | C] () -- C:\Users\Robert\AppData\Local\cqiyg.bat
[2008/08/27 18:41:40 | 00,000,348 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2008/07/28 11:54:52 | 00,000,050 | ---- | C] () -- C:\Windows\MegaManager.INI
[2008/04/13 11:06:55 | 00,000,094 | ---- | C] () -- C:\Users\Robert\AppData\Local\fusioncache.dat
[2008/01/22 18:01:29 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/12/21 19:29:28 | 00,000,032 | ---- | C] () -- C:\ProgramData\ezsid.dat
[2007/08/22 18:25:06 | 00,000,000 | ---- | C] () -- C:\Windows\mngui.INI
[2007/07/03 10:22:15 | 00,000,176 | ---- | C] () -- C:\Windows\hpbafd.ini
[2007/06/28 21:57:03 | 00,022,723 | ---- | C] () -- C:\Windows\System32\DELS3L3.DLL
[2007/04/14 09:44:03 | 00,044,032 | ---- | C] () -- C:\Users\Robert\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/13 17:45:57 | 00,007,484 | ---- | C] () -- C:\Users\Robert\AppData\Local\d3d9caps.dat
[2007/04/04 18:00:33 | 00,000,004 | -H-- | C] () -- C:\ProgramData\QSLLPSVCShare
[2006/11/07 19:25:58 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 10:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 07:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/16 22:36:50 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 22:36:50 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll

========== LOP Check ==========

[2009/07/31 17:55:20 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\FileZilla
[2009/09/19 21:26:46 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\GetRightToGo
[2008/03/29 00:43:15 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\gtk-2.0
[2008/03/30 19:53:39 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Management-Ware
[2008/03/30 19:53:04 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Management-Ware Solutions Inc
[2009/10/14 21:50:57 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\NCH Swift Sound
[2007/07/04 21:40:52 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Opera
[2007/04/18 12:38:41 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\PeerNetworking
[2009/02/06 16:14:25 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Progeny
[2010/01/10 21:12:16 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Spotify
[2009/12/08 23:05:11 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\TeamViewer
[2007/08/24 22:43:26 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Teleca
[2007/04/17 09:58:13 | 00,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Thunderbird
[2010/01/04 22:08:21 | 00,000,472 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2010/01/12 00:59:43 | 00,032,624 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/01/12 12:02:52 | 00,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{3AFCC132-086D-419A-84D7-06785008BF99}.job

========== Purity Check ==========


< End of report >

[Rorschach112]

hi


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2009/01/21 19:44:23 | 00,000,089 | ---- | C] () -- C:\Users\Robert\AppData\Local\eggyq.bat
  [2008/11/29 21:28:32 | 00,000,091 | ---- | C] () -- C:\Users\Robert\AppData\Local\cqiyg.bat
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• TFC - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  
• Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
  secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
  blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
  Here
  
  
  If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
  
• FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
  
  
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  
  
• Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

[RobMPrager]

Thank you very much for your assistance!

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.