Virus help

June 19, 2011 at 19:21:26
Specs: Windows XP
I have always done pretty well about avoiding viruses on my computer. I usually get maybe one a year that I can usually manually remove with some work, or that ad-aware or AVG would remove. However, lately, I am having such a difficult time with them - that i'm at the point of formatting my entire drive and starting over. I hate to do this, because certain programs and data are so difficult to get back working right again (bookkeeping; fax software; etc).

This started with getting a windows security virus. I removed it manually after a lot of work in safe-mode. Then a month or so later, I had something else. I recently got the redirect virus which has been a major pain in the ars. When I do searches - i have to click on 'cache' link to get them to work - else i get redirected to some stupid site about purchasing things. Now, today, I seem to have some type of "open with" virus. I cannot run any .exe files without the open with box coming up. I managed to get chrome working, but can't get explorer to open.

The thing is - I got this virus today - and I havn't even been on the computer doing anything! I have the most recent version of AVG 2011 running and did a complete scan about 3 days ago. I have the latest Ad-Aware running, and did a scan with it within the last week. I also have spybot and ran it about 2 weeks ago. WTH good is all this stuff, if it doesn't seem to do anything about stopping it??

I have not had to reformat since I had this system built - about 4 1/2 years ago. My system is a Dual-Core 3.1Ghz. Can't tell you much more than that right now because all the exe's won't work (ie, msinfo32.exe).

I'm at the point of formatting the entire drive and starting over. Am I over-reacting?? Is my situation fixable?? If I do start over - I could use a little help with process. For example - I have the original windows CD's - (XP) but they are about 4 years old - there will be tons of patches to go through i'm sure. How do I make sure i've got all the latest drivers going??

And once I get windows back up -- what should be my first steps in the way of preventing future viruses and attacks?? What programs are key and critical?? I don't really like using a lot of virus stuff - because they slow systems down so much and seem to cause as many problems as they help. In fact, it feels like as I have used more virus protection - the virus issues are getting worse!!! For years, i used none at all - and had no problems. I have an older computer on this network (it's like 9 years old - hand me down computer when I bought this one that the kids use - and it "NEVER" gets a virus, and yet has no protect at all on it!)

I could really use some info and help here... as far as direction.. process... critical programs to have to help.

Also how much vulnerability is there from using programs like YIM and ITunes?? I don't use outlook, do not email much AT ALL - and when I do it's thru hotmail, and never open any files - even from people I know.

I appreciate the help.


See More: Virus help

Report •


#1
June 19, 2011 at 19:35:46
sgtyork213,

First, let's see if we can clean up the computer, before you make a re-format decision.

If you cannot download the following file, the malware may be blocking the attempt. You need to download to a clean computer and then transfer to the infected one using a USB flash drive, or external media (an external drive or a CD).

Please download exeHelper from one of these two places:
http://www.raktor.net/exeHelper/exe...
http://www.raktor.net/exeHelper/exe...

Note: The malware on your computer does not allow you to launch executables (a file ending with .exe), so we must fix that first. This program has a .com or .scr file extensin, so it should bypass the malware hold.

Save it to your USB Flash drive (or removable media), and then go to the infected computer, and place the file on the Desktop.

XP users, double-click the file to run it.
Vista or Windows 7 users, right click the downloaded file and select “Run as Administrator"

A black window should pop up
Press any key to close, once the fix is completed.

>>Please post the contents of the exehelperlog.txt in your reply.<<
[It is created in the directory where you ran exeHelper, and should also open at the end of the scan.]


Next, download RogueKiller
http://tigzy.geekstogo.com/Tools/Ro...
Save it to your Desktop.

Now, close all open programs.

XP users, double-click the file to run it.
For Vista/Windows 7, right click the file and select: Run as Administrator

When prompted, type 1 and hit Enter.

An RKreport.txt should appear on your Desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

>>Please post the contents of the >RKreport.txt< in your reply.<<

We will take further action based on the results of this report.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
June 19, 2011 at 20:12:55
I just read this same advice in another thread... thanks. yes, it worked. The exe helper restored the exe's and has the system working again. I ran the rogue thing and got the following info

copy/paste..........


RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Date : 06/19/2011 23:03:53

Bad processes: 0

Registry Entries: 6
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:5555) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\Owner\Local Settings\Application Data\oph.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

HOSTS File:
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt


Report •

#3
June 19, 2011 at 20:33:28
after getting this far - i ran Spybot and found 44 problems with the following issues:

Burst Media (1 entry) Browser

CasaleMedia (6 entries) Browser

DoubleClick (2 entries) Browser

Fraud.InternetSecurity2011 (24 entries) MalwareC

MediaPlex (3 entries) Browser

Statcounter (1 entry) Browser

Zedo (7 entries) Browser

Spybot said it successfully fixed all 44 problems.

So my next question is... WHERE did all this crap come from???? Like I said - i've had more problems dealing with viruses, since I started using virus protection. How did these get thru AVG (which runs in the background all the time)? I ran the Immunize feature of Spybot - and that didn't seem to do any good either.

I would appreciate any further help to making sure I have everything off this computer, and how to avoid getting more of it. Thanks.


Report •

Related Solutions

#4
June 19, 2011 at 20:49:25
Is Spybot giving you a report with a more specific information than the above?

It shows Internet Security 2011, and that changes our approach. We may be dealing with a hidden RootKit that Spybot S&D cannot handle..

Please run RougeKiller once again, and use option 2 (Remove malicious entries)

Press: Enter, and post the new RKreport.txt that appears on your Desktop.

After we get the report, we will switch gears.


~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#5
June 19, 2011 at 21:10:57
spybot didn't give another report.. it had more detailed info about the entries - but they are all gone after hitting the "fix" option. Sorry. But most (if not all) of the 24 entries it deleted were reg entries.

FYI... option #2 in Roguekiller is "delete" (it doesn't say what it's deleting or malicious entries). choosing that option led to this report...

(copy/paste)

RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Remove -- Date : 06/20/2011 00:12:21

Bad processes: 0

Registry Entries: 2
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:5555) -> NOT REMOVED, USE PROXYFIX
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt


------------------

Btw, the first RK above says something about OPH.exe - there was a mssg on my screen about that this morning.


Report •

#6
June 19, 2011 at 21:39:03
Please run the following, and let's see what it reports...

Download TDSSKiller
http://support.kaspersky.com/downlo...
Save it to the Desktop.

Double-click* on TDSSKiller.exe to run the program.
Vista/Windows 7 users, right-click the file, and select: Run As Administrator

Click the 'Start Scan' button.

Do not use the computer during the scan

If the scan completes with nothing found, click Close to exit.

When the scan finishes it displays a Scan results screen stating whether or not an infection was found on your computer.

To remove the infection, click on the Continue button.
If it does not say Cure on the results screen, leave it at the default action of Skip, and press the Continue button.

Do not change to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

Reboot to finish the cleaning process.

If no reboot is requested, click on: Report.

A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) is created and saved to the root directory (usually Local Disk C:).

>>Please provide the contents of TDSSKiller in your reply.<<


I am retiring for the night.
Will continue sometime tomorrow.

Hang in there!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#7
June 19, 2011 at 22:12:33
tdsskiller is installed on the desktop. For confirmation - it is version 2.5.5.0 and approx 1.37 MG in size. However, when I try to run it - nothing happens. I tried multiple times. Then I rebooted the computer and tried again (with as little running as possible) and it still didn't seem to do anything. I looked for a log file, incase it made one anyways - but found nothing.

Also - how do you turn off AVG 2011?? It loads on reboot, and when you right mouse click on the icon in the systray - it does NOT have an EXIT function. I brought the program up and looked thru it's menu items, and couldn't find any way to turn it off either. It seems worthless, and as bad as a virus itself. I would appreciate info on how to disable it from loading on launch; and also how to turn it off once it is has been turned on. Also, how do you disable Ad-Aware from loading on reboot as well? Tnx.

I need help in getting the tddskiller program to work in order to get to a "start scan" option. I tried double clicking it; i tried right mouse clicking and chooseing the OPEN option and the RUN option. It doesn't seem to do anything.


Report •

#8
June 19, 2011 at 22:24:16
OH - i located the LOG file for the spybot S&D action earlier also... here is a copy/paste of the FIXED log file I had done earlier...

copy/paste..

--- Report generated: 2011-06-19 23:31 ---

Fraud.InternetSecurity2011: [SBI $2A617167] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\=..."C:\Documents and Settings\Owner\Local Settings\Application Data\oph.exe" -a...

Fraud.InternetSecurity2011: [SBI $5AEDDF0A] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

Fraud.InternetSecurity2011: [SBI $758FB1E3] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions

Fraud.InternetSecurity2011: [SBI $CDC1B6A2] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

Fraud.InternetSecurity2011: [SBI $76913945] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

Fraud.InternetSecurity2011: [SBI $EF6C99DF] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

Fraud.InternetSecurity2011: [SBI $C00EF736] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions

Fraud.InternetSecurity2011: [SBI $D4BC3778] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

Fraud.InternetSecurity2011: [SBI $1561593B] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

Fraud.InternetSecurity2011: [SBI $F16F6CE5] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

Fraud.InternetSecurity2011: [SBI $DE0D020C] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions

Fraud.InternetSecurity2011: [SBI $6D4031BB] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

Fraud.InternetSecurity2011: [SBI $FD1F9FD2] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

Fraud.InternetSecurity2011: [SBI $378CD8D9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

Fraud.InternetSecurity2011: [SBI $9EDDC71B] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Fraud.InternetSecurity2011: [SBI $BF76AFF0] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

Fraud.InternetSecurity2011: [SBI $EE344D69] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

Fraud.InternetSecurity2011: [SBI $7D8AC3AB] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

Fraud.InternetSecurity2011: [SBI $07CC9A4D] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start

Fraud.InternetSecurity2011: [SBI $953CC77A] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall

Fraud.InternetSecurity2011: [SBI $43CBFC6D] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Start

Fraud.InternetSecurity2011: [SBI $74544024] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall

Fraud.InternetSecurity2011: [SBI $F5EC9C27] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

Fraud.InternetSecurity2011: [SBI $7DE0D860] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall

MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-06-10 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-05-17 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-06-07 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-31 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-05-17 Includes\Trojans.sbi (*)
2011-05-11 Includes\TrojansC-02.sbi (*)
2011-05-11 Includes\TrojansC-03.sbi (*)
2011-06-06 Includes\TrojansC-04.sbi (*)
2011-06-06 Includes\TrojansC-05.sbi (*)
2011-06-07 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


Report •

#9
June 20, 2011 at 10:15:32
Thanks for the Spybot report, sgtyork213. No doubt that Spybot is dealing with Internet Security 2011, but if it keeps coming back, Spybot can't handle it.

Press on with the following:

Make sure you can view Hidden Files, and, also uncheck: Hide Extensions for Known File Types:
http://www.bleepingcomputer.com/tut...

To keep AVG from interfering with the repairs, it may be best to uninstall it, and then reinstall it later. AVG has been causing a few problems lately. You may even want to consider installing another AntiVirus program...personally, I use avast! Free.

Some AntiVirus disabling tips, if needed. AVG 2011 is included :
http://www.bleepingcomputer.com/for...


On TDSSKiller, remove the download you have now, and download it again, however, as you download it, rename it to slayer.com, then click that file to run TDSSKiller:
http://support.kaspersky.com/downlo...

Also, let's see if a RootKit is detected, and hiding somewhere in your system...

Please download GMER:
http://gmer.net/download.php
[Downloads a randomly named file. (Recommended)]

Disconnect from the Internet and close all running programs.

Make sure you disabled any real-time active protection so your security programs do not conflict with gmer's driver.

Double-click on the randomly named GMER file (i.e. n7gmo46c.exe)
Allow the gmer.sys driver to load...

GMER opens to the Rootkit/Malware tab and performs an automatic quick scan when first run. (Please do not use the computer while the scan is in progress.)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO

Now, click the >Scan< button.
If you see a rootkit warning window, click OK.

When the scan finishes, click the 'Save...' button to save the scan results to your Desktop.
Save the file as >gmer.log<

>>Click the Copy button and Paste the results of the GMER log in your reply.<<


Note: Please, do not take action on any of the information on the GMER report!!

If you encounter any problems, try running GMER in Safe Mode:
http://www.computerhope.com/issues/...

If GMER crashes or keeps resulting in a BSODs, uncheck 'Devices' (on the right side) before scanning.


Next, download aswMBR:
http://public.avast.com/~gmerek/asw...
Save to your Desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
Upon completion of the scan, click the Save Log button

>>Please save the aswMBR log to your Desktop, and post it in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#10
June 21, 2011 at 12:05:11
ok.. getting back to things a little today - I can tell you that the REDIRECT virus is still on the computer. Everytime I do a yahoo search and click on a link - it redirects me to sales links. (seriously, do they think this will entice "anyone" to buy these products??) /end rant

Also - twice now (yesterday and today) when I come into the computer in the morning an explorer window is open and the link to sign in for hotmail is open. Seemed strange to me - and i'm putting it out there in case it's a sign of anything else going on.

Anyways.. to the task of instructions you outlined above....

I uninstalled AVG 2011 (it needed a reboot, but I didn't do that yet) - hence some of the reports below seem to show some avg related items that say - can't find the source (that's because it was uninstalled).

I've got all hidden files shown... per your instructions above.

TDSSKiller still did not work - even when I downloaded it, changed the name to slayer.com and instlaled it on the desktop. Same results. I run it - and nothing seems to happen.

I moved on to GMER - and looks like I do have rootkit issues. Everything ran as you said, and I went thru that process. I only got one WARNING that had said I have settings that have been changed by rootkit. It only had an "OK" option - no action to be taken. It finished it's scan and here is that report.

(note - the items listed as "library" were in red).

(note - no action was taken in GMER)

(note - I did forget to unhook the internet when I ran it. Let me know if this messed anything up and I need to redo the process again)

Copy/Paste.....

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-21 13:23:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000068 WDC_WD2500AAKS-00SBA0 rev.12.01B01
Running: jhwfez60.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\ufldapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA11887E]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwOpenProcess [0xA7E69738]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA118BFE]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateProcess [0xA7E697DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateThread [0xA7E69878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwWriteVirtualMemory [0xA7E69914]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? avgrkx86.sys The system cannot find the file specified. !
? AVGIDSEH.Sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7762380, 0x2FF527, 0xE8000020]
.text USBPORT.SYS!DllUnload B77428AC 5 Bytes JMP 8A74C1C8
? system32\DRIVERS\avgtdix.sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSShim.Sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSFilter.Sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSDriver.Sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00DF6A90
.text C:\Program Files\Internet Explorer\iexplore.exe[844] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00DF6C90
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00EF6A90
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00EF6C90
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00E5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4284] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0059000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [026C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [026C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [026C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [026C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\jhwfez60.exe[800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\jhwfez60.exe[800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\jhwfez60.exe[800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Owner\Desktop\jhwfez60.exe[800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[844] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program[15940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00CB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program[15940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00CB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program[15940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00CB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program[15940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00CB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[22452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[22452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[22452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[22452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A9541E8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys
AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys

Device \Driver\usbohci \Device\USBPDO-0 8A6BF790
Device \Driver\usbehci \Device\USBPDO-1 8A672790

AttachedDevice \Driver\Tcpip \Device\Tcp NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9561E8
Device \Driver\Cdrom \Device\CdRom0 8A703790
Device \Driver\atapi \Device\Ide\IdePort0 [B9E38B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E38B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E38B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\nvata \Device\00000068 8A9551E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A6E1790
Device \Driver\NetBT \Device\NetbiosSmb 8A6E1790
Device \Driver\NetBT \Device\NetBT_Tcpip_{6C4BDAD5-4CC3-41FC-9C5A-E03B3DC5B4C7} 8A6E1790

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys

Device \Driver\usbohci \Device\USBFDO-0 8A6BF790
Device \Driver\usbehci \Device\USBFDO-1 8A672790
Device \Driver\nvata \Device\NvAta0 8A9551E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FED1E8
Device \Driver\nvata \Device\NvAta1 8A9551E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FED1E8
Device \Driver\nvata \Device\NvAta2 8A9551E8
Device \Driver\Ftdisk \Device\FtControl 8A9561E8
Device \FileSystem\Cdfs \Cdfs 8A10A790

---- Threads - GMER 1.0.15 ----

Thread System [4:180] 8A82FE7A
Thread System [4:184] 8A832008
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [320] 0x6C330000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [844] 0x6C7F0000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [844] 0x6DB90000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [844] 0x6BC50000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [844] 0x0B330000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [844] 0x6BE20000
Library C:\Program (*** hidden *** ) @ C:\Program [15940] 0x00400000
Library C:\Program (*** hidden *** ) @ C:\Program [15940] 0x6BC50000
Library C:\Program (*** hidden *** ) @ C:\Program [15940] 0x6A920000
Library C:\Program (*** hidden *** ) @ C:\Program [15940] 0x6BBD0000
Library C:\Program (*** hidden *** ) @ C:\Program [15940] 0x6D0B0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x54 0xA5 0xD2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x54 0xA5 0xD2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x54 0xA5 0xD2 ...

---- EOF - GMER 1.0.15 ----


I then moved on to aswMBR and ran it. Here is the log file from running that.

*note - 2 lines were in RED. 4th line from the bottom starting with "\Driver\nvata...." and then 4 lines above that.. the line starting with "ntkrnlpa.exe CLASSPNP.sys...."

copy/paste of log.....


aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-21 14:57:01
-----------------------------
14:57:01.140 OS Version: Windows 5.1.2600 Service Pack 3
14:57:01.140 Number of processors: 2 586 0xF06
14:57:01.140 ComputerName: PRIMARY UserName: Owner
14:57:02.390 Initialize success
14:57:22.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000068
14:57:22.359 Disk 0 Vendor: WDC_WD2500AAKS-00SBA0 12.01B01 Size: 238475MB BusType: 3
14:57:22.375 Device \Driver\nvata -> MajorFunction 8a9551e8
14:57:24.390 Disk 0 MBR read successfully
14:57:24.390 Disk 0 MBR scan
14:57:24.390 Disk 0 Windows XP default MBR code
14:57:26.390 Disk 0 scanning sectors +488376000
14:57:26.468 Disk 0 scanning C:\WINDOWS\system32\drivers
14:57:43.812 Service scanning
14:57:44.921 Disk 0 trace - called modules:
14:57:44.921 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a82b1ed]<<
14:57:44.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8bbab8]
14:57:44.921 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000069[0x8a8bce90]
14:57:44.921 5 ACPI.sys[b9e7d620] -> nt!IofCallDriver -> \Device\00000068[0x8a8bb030]
14:57:44.921 \Driver\nvata[0x8a89da08] -> IRP_MJ_CREATE -> 0x8a9551e8
14:57:44.921 Scan finished successfully
15:00:29.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
15:00:29.031 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


Report •

#11
June 21, 2011 at 19:32:07
Hmmm...sure do not like the word 'RootKit'.

Removing a RootKit may get involved.

The type of diagnostics that we need to run to get rid of a RootKit produce extensive reports, and posting those would be difficult.
Please check your Personal Messages.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#12
June 22, 2011 at 22:08:18
I responded to your PM.

Also, I rebooted the machine (since i had not done it since uninstalling AVG) and redid the entire process above you outlined above. I posted all the log files in the forum you recommended.

Slayer.com program STILL does not seem to operate.

The GMER scan did not give me ANY warnings of any kind, nor any RED lines. Ths is the one that gave a rootkill warning.

aswMBR still had the 2 red lines.

No action was taken.

Btw, the forum you referred me to has a 4000 character limit - the GMER log file itself wouldn't fit - had to break it up into multiple posts.

Thanks for your help and any other help you can offer.


Report •

Ask Question