Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection Virus/Spyware


  • This topic is locked This topic is locked
24 replies to this topic

#1 gtholiday

gtholiday

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 08 October 2009 - 07:21 PM

Every time I use google search in IE8 and Chrome it redirects me to another website. I have ran about 10 programs to get rid of this and nothing works. I am going to post my DDS.txt; Rootrepeal and peak.bat items in that order. Thanks!



DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 20:15:16.07 on Thu 10/08/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.1686 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Intuit\QuickBooks 2009\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Google Calendar Sync.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\QuickBooks Update Agent.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\dnup6c7l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\users\owner\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-15 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-15 297752]
R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 cpuz128;cpuz128;c:\program files\pc wizard 2008\pcwiz32.sys [2009-4-21 7808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2009-10-04 17:23 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-10-03 13:05 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 13:05 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-03 11:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-02 14:57 <DIR> --d----- c:\users\owner\DoctorWeb
2009-10-02 13:37 <DIR> --d----- c:\program files\Sophos
2009-10-01 21:13 <DIR> --d----- c:\users\owner\appdata\roaming\GlarySoft
2009-10-01 21:13 <DIR> --d----- c:\program files\Glary Registry Repair
2009-10-01 21:11 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-10-01 21:11 87,552 a------- c:\windows\system32\wudriver.dll
2009-10-01 21:10 171,608 a------- c:\windows\system32\wuwebv.dll
2009-10-01 21:10 33,792 a------- c:\windows\system32\wuapp.exe
2009-10-01 16:24 44,768 a------- c:\windows\system32\wups2(615).dll
2009-10-01 16:23 35,552 a------- c:\windows\system32\wups(614).dll
2009-09-30 16:32 <DIR> --d----- c:\users\owner\.housecall6.6
2009-09-30 14:40 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-09-30 14:40 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-09-30 14:39 <DIR> --d----- c:\users\owner\appdata\roaming\SUPERAntiSpyware.com
2009-09-30 14:39 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-28 13:22 <DIR> --d----- c:\program files\VS Revo Group
2009-09-28 13:21 <DIR> --d----- c:\windows\system32\appmgmt
2009-09-27 12:49 <DIR> --d----- c:\program files\UnHackMe
2009-09-27 12:47 <DIR> --d----- c:\program files\Trend Micro
2009-09-24 15:58 <DIR> --d----- c:\users\owner\appdata\roaming\Malwarebytes
2009-09-24 15:58 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-24 15:58 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-24 15:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 15:27 <DIR> --d----- c:\program files\iPod(108)
2009-09-17 15:27 <DIR> --d----- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-17 15:27 <DIR> --d----- c:\progra~2\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-17 15:26 <DIR> --d----- c:\program files\QuickTime(268)
2009-09-10 03:01 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2009-09-09 19:58 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-09-09 19:58 105,984 a------- c:\windows\system32\netiohlp.dll
2009-09-09 19:58 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-09-09 19:58 19,968 a------- c:\windows\system32\ARP.EXE

==================== Find3M ====================

2009-09-03 03:10 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-03 03:10 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-29 12:35 318,976 a------- c:\windows\system32\CF26307.exe
2009-08-29 12:34 318,976 a------- c:\windows\system32\CF26124.exe
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet(589).dll
2009-07-21 17:52 1,208,832 a------- c:\windows\system32\urlmon(568).dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 1,985,536 a------- c:\windows\system32\iertutil(447).dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 09:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-17 09:54 71,680 a------- c:\windows\system32\atl(351).dll
2009-07-15 08:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 08:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 08:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-11 15:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 15:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 15:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 15:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 15:01 65,024 a------- c:\windows\system32\wlanapi(597).dll
2009-07-11 13:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-06-13 14:41 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-13 14:41 86,016 a------- c:\windows\inf\infstor.dat
2009-06-13 14:41 51,200 a------- c:\windows\inf\infpub.dat
2009-05-29 16:46 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:16:58.09 ===============



Rootrepeal text:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 14:57
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: 3E87.tmp
Image Path: C:\Windows\system32\3E87.tmp
Address: 0x9B3D7000 Size: 6144 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8E1D1000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8E1C6000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_dumpfve.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys
Address: 0x8E1D9000 Size: 69632 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x80EB0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0dbc2a84-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0dbc2a9b-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0dbc2a9f-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0dbc2aa7-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{181bf4bf-afa4-11de-9ac5-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{181bf4c4-afa4-11de-9ac5-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{70eefcb9-b03f-11de-b84a-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{70eefcc3-b03f-11de-b84a-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7e521ab9-ac75-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9be70f9d-adf7-11de-bf45-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{aaf594fb-aeee-11de-b981-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d6a212bf-ae06-11de-a32e-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{edf6f214-a9ff-11de-a894-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{edf6f23a-a9ff-11de-a894-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{604c9a4c-ab00-11de-80a0-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{623f032a-aee2-11de-a269-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fa868865-a252-11de-8392-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fa868869-a252-11de-8392-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fa8688a0-a252-11de-8392-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fa8688d3-a252-11de-8392-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fa8688f3-a252-11de-8392-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\imagehlp(669).dll
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbemcomn(880).dll
Status: Locked to the Windows API!

Path: c:\programdata\avg8\cfg\sched.cfg
Status: Size mismatch (API: 14619, Raw: 14525)

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053
e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11d
f268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5
6e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd
a6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc
0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a
620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea
1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850
4d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c
0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_765
8964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003
bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_588
43c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddf
c6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab
ac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d
131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3c
e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d
d7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c
at
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c
2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e5070
87.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdproxy_31bf3856ad364e35_6.1.6002.18005_none_458098410a7e837c\fdProxy(428).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fundisc_31bf3856ad364e35_6.1.6002.18005_none_45feb528d6cfb4c2\fundisc(431).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f\apphelp(344).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6002.18005_none_e533cab683a383fc\advapi32(342).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-atl_31bf3856ad364e35_6.0.6002.18070_none_acbb07ec57117d17\atl(351).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.0.6002.18005_none_b7cb35464ed1e6d3\winmm(590).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.0.6002.18005_none_0ddef622f289ad43\authui(354).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-basedependencies_31bf3856ad364e35_6.0.6000.16386_none_006b2fc82be4576c\psapi(526).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6002.18005_none_f0780c78ec8773db\bcrypt(359).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-branding-engine_31bf3856ad364e35_6.0.6000.16386_none_e73316a16878fc16\winbrand(586).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6002.18005_none_0ed918294edf6b75\es(425).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..complus-runtime-qfe_31bf3856ad364e35_6.0.6001.18000_none_6b632e81788ed2d9\clbcatq(370).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cabinet_31bf3856ad364e35_6.0.6001.18000_none_373f511ce1ebb446\cabinet(362).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6002.18005_none_ae092067ef732bd0\ole32(507).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-comdlg32_31bf3856ad364e35_6.0.6002.18005_none_b79c8aada2c95ef1\comdlg32(372).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-coreos_31bf3856ad364e35_6.0.6001.18000_none_255246473e514737\imagehlp(669).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6002.18005_none_5d5b3ae7daf59226\crypt32(376).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.0.6001.18000_none_17194119fbd5b944\cryptnet(377).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..ellman_software_csp_31bf3856ad364e35_6.0.6001.18000_none_3bf8bb8384e4ad56\dssenh(411).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_6.0.6001.18000_none_cedd4665f13650d7\ntdsapi(501).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..frastructure-client_31bf3856ad364e35_6.0.6001.18000_none_4c0a8c08a2e99108\wdi(581).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6002.18005_none_d945a2ac2bb19ac6\dhcpcsvc(392).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6002.18005_none_d945a2ac2bb19ac6\dhcpcsvc6(393).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6002.18005_none_b3d9d2699e1659b0\samlib(539).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.0.6002.18005_none_5b39cbfb4d3802b6\winrnr(592).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6002.18005_none_e3cdf5e97f7b2eb7\dnsapi(395).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-duser_31bf3856ad364e35_6.0.6001.18000_none_5a74ae48fc7a81f9\duser(412).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6001.18000_none_64138b2cc36a286b\eappprxy(419).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6002.18005_none_65ff0438c08bf3b7\eappcfg(418).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6002.18005_none_65ff0438c08bf3b7\eappprxy(419).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.0.6002.18005_none_22622b2203060735\wer(584).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-eventlog-api_31bf3856ad364e35_6.0.6002.18005_none_ae1c7b28626bfdb3\wevtapi(585).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gdi-painting_31bf3856ad364e35_6.0.6000.16386_none_7535161f1f2100ed\msimg32(479).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6002.18005_none_2a0edaeae4247151\gpapi(438).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ectionsharingconfig_31bf3856ad364e35_6.0.6001.18000_none_b03645b494998691\hnetcfg(441).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.18813_none_97c46c79ec9c8e1f\urlmon(568).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6002.18005_none_5e419722778cc84e\imm32(451).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-international-core_31bf3856ad364e35_6.0.6001.18000_none_e9aa6488d9c10036\normaliz(497).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6002.18005_none_95a95e4d536d53fa\kernel32(458).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.0.6002.18005_none_f527c0a3538d7f27\Wldap32(599).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MIC237~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mlang_31bf3856ad364e35_6.0.6001.18000_none_56df4b78e3fe4e3f\mlang(465).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mmcss_31bf3856ad364e35_6.0.6001.18000_none_579836e8e38a2cb7\avrt(356).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mmdeviceapi_31bf3856ad364e35_6.0.6002.18005_none_56efbca3b683a5d6\MMDevAPI(466).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mpr_31bf3856ad364e35_6.0.6002.18005_none_afc1427e55131ced\mpr(467).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16386_none_c52353cea8765257\msasn1(470).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.0.6002.18005_none_d340af2c9c07e8f9\msvcrt(485).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6002.18005_none_8a59b9a693f7ed88\msxml3(488).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_ac1d40c88f30e6c0\NapiNSP(489).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.0.6002.18005_none_5fc9ce9deebdd9ef\ncrypt(491).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6002.18005_none_8f1f941efeb1a97e\netapi32(492).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6002.18005_none_d76ee3df0b2c9479\netshell(493).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6002.18005_none_cf0fe8f527aca355\FWPUCLNT(432).DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-networkprofile_31bf3856ad364e35_6.0.6001.18000_none_789b515a7625c7d5\npmproxy(498).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-nlasvc_31bf3856ad364e35_6.0.6001.18000_none_6785f5c70aea4565\nlaapi(494).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ntdll_31bf3856ad364e35_6.0.6002.18005_none_5ac2574df94f7762\ntdll(500).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.0.6002.18005_none_ad5672dcf647053c\cscapi(379).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-o..nefiles-extend-apis_31bf3856ad364e35_6.0.6002.18005_none_8ede3643316d80bd\cscobj(381).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6002.18005_none_beeba399f89bfe74\oleaut32(509).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-oleacc_31bf3856ad364e35_6.0.6001.18000_none_6a84bdce2263bb83\oleacc(508).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-onex_31bf3856ad364e35_6.0.6002.18005_none_a7b694f91a7d6b9e\onex(511).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ntlanman_31bf3856ad364e35_6.0.6001.18000_none_301115c4e2a0204f\ntlanman(502).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.0.6001.18000_none_717f15b322749509\pnrpnsp(521).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_7.0.6002.18005_none_f5b95c0eb6772c81\propsys(525).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasapi_31bf3856ad364e35_6.0.6002.18005_none_6f22f8764ca6fdc8\rasapi32(532).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasautodial_31bf3856ad364e35_6.0.6001.18000_none_0fd9feb665531f63\rasadhlp(531).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasman_31bf3856ad364e35_6.0.6001.18000_none_6ca64a1c4ff485d4\rasman(533).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6002.18005_none_0f010d1ce79c5ae9\rtutils(538).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.0.6002.18005_none_61b288d3ae664420\rsaenh(537).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.0.6002.18005_none_1acff34f76bb03cb\WinSCard(593).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.0.6002.18005_none_3c0d3c3f7176376a\ntmarta(503).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..icensing-slc-client_31bf3856ad364e35_6.0.6002.18005_none_c70ad3fba30f2730\SLC(550).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-credssp_31bf3856ad364e35_6.0.6001.18000_none_c3b8316fa19004d1\credssp(375).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-sens-client_31bf3856ad364e35_6.0.6000.16386_none_ff0beccac0362b51\SensApi(542).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-setupapi_31bf3856ad364e35_6.0.6002.18005_none_36e0d2bcc35fa5a1\setupapi(543).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6002.18005_none_6e14a3ea0f1db90b\shell32(548).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shlwapi_31bf3856ad364e35_6.0.6002.18005_none_fbc52b10a1d0b696\shlwapi(549).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-sxs_31bf3856ad364e35_6.0.6001.18000_none_ae4c9c1c57a3bb3a\sxs(556).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.0.6002.18005_none_ec5c63f1986ff65e\IPHLPAPI(452).DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_6.0.6002.18005_none_77af2925ebe6e4e5\msctf(473).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..inalservices-drprov_31bf3856ad364e35_6.0.6000.16386_none_cba2057f1c57e33a\drprov(409).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_6.0.6001.18000_none_dcdfef64cc00e5fb\winsta(595).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_6.0.6001.18000_none_c730eb5dc6553c1b\wtsapi32(607).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-tapi2xclient_31bf3856ad364e35_6.0.6000.16386_none_c63fa93c42ab8c05\tapi32(561).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-proxy_31bf3856ad364e35_6.0.6000.16386_none_7b87175bbe5d3c57\TSChannel(567).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32(569).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-userenv_31bf3856ad364e35_6.0.6002.18005_none_922be37f4864a4ee\userenv(570).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-usermodensi_31bf3856ad364e35_6.0.6001.18000_none_726222dfc773e0a2\nsi(499).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-usermodensi_31bf3856ad364e35_6.0.6001.18000_none_726222dfc773e0a2\winnsi(591).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-userpowermanagement_31bf3856ad364e35_6.0.6002.18005_none_a505176cf9fa2abd\powrprof(524).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-usp_31bf3856ad364e35_6.0.6002.18005_none_aee5f21a559e2b7a\usp10(571).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-uxtheme_31bf3856ad364e35_6.0.6001.18000_none_a5e49ad4068f9b12\uxtheme(572).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-version_31bf3856ad364e35_6.0.6002.18005_none_16e9c83b4e078740\version(574).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.0.6002.18005_none_ba3ed0122a6d89da\mswsock(487).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6001.18000_none_f2b7b0c2ce5605c4\ws2_32(603).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.4.7600.226_none_e979223d5b9c821b\wups2(615).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-webdavredir-davclient_31bf3856ad364e35_6.0.6002.18005_none_95b8e24b4f6105d0\davclnt(386).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.0.6001.18000_none_cbb305c23187855a\wship6(604).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.0.6001.18000_none_cbb305c23187855a\WSHTCPIP(605).DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-winsock-legacy_31bf3856ad364e35_6.0.6001.18000_none_e36536a91186bed0\wsock32(606).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.0.6001.18000_none_efae39c59a10e503\wintrust(596).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-wbemcomn-dll_31bf3856ad364e35_6.0.6001.18000_none_037b2dfd23326c9b\wbemcomn(880).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6002.18005_none_bb3f7c211cba6b3f\wbemprox(578).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6002.18005_none_bb3f7c211cba6b3f\wbemsvc(579).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6002.18005_none_4cec3f51e92bbb79\PortableDeviceApi(522).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-xmllite_31bf3856ad364e35_6.0.6001.18000_none_893b7e92a34e8e37\xmllite(617).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlanutil_31bf3856ad364e35_6.0.6000.16386_none_38e0f13f111f2de2\wlanutil(598).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6002.18005_none_26b9727a
bf452f46\winhttp(588).dll
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_6.0.6001.22230_none_569b6e0c6aa641d3\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.16720_none_a54ef540d05f91fc\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.20883_none_8e870be4ea01d6ef\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.18111_none_a529d9f6d0b19e9d\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.22230_none_8e5e4a92ea5717b0\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.16720_none_04c87b54ba4ac53
5\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.20883_none_ee0091f8d3ed0a2
8\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.18111_none_04a3600aba9cd1d
6\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.22230_none_edd7d0a6d4424ae
9\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496
\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496
\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496
\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496
\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_weProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1328 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: en-US.dll]
Process: chrome.exe (PID: 2116) Address: 0x740e0000 Size: 114688

Object: Hidden Module [Name: default.dll]
Process: chrome.exe (PID: 1528) Address: 0x634e0000 Size: 442368

Object: Hidden Module [Name: en-US.dll]
Process: chrome.exe (PID: 1528) Address: 0x740e0000 Size: 114688

Object: Hidden Module [Name: en-US.dll]
Process: chrome.exe (PID: 4356) Address: 0x740e0000 Size: 114688

==EOF==




Peak.bat log report

Volume in drive C is New Volume
Volume Serial Number is F480-0D94

Directory of C:\WINDOWS\System32

04/11/2009 02:28 AM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

04/11/2009 02:28 AM 592,896 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 05:46 AM 11,776 cngaudit.dll
3 File(s) 781,824 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 05:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/20/2008 10:22 PM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 02:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/20/2008 10:22 PM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 02:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
8 File(s) 2,333,184 bytes
0 Dir(s) 96,803,667,968 bytes free

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:16 AM

Posted 09 October 2009 - 04:05 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 gtholiday

gtholiday
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 12 October 2009 - 10:59 AM

Thanks, FYI I have already ran

AVG
Spybot
Malware Bytes
Combofix
Dr. Web Cureit
ATF Cleaner
SuperAntiSpyware
Sophos Anti-Rootkit






ComboFix 09-10-01.01 - Owner 10/01/2009 19:16.3.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2558.1450 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-09-30 20:32 . 2009-09-30 20:52 -------- d-----w- c:\users\Owner\.housecall6.6
2009-09-30 18:40 . 2009-09-30 18:40 117760 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-30 18:40 . 2009-09-30 18:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-30 18:39 . 2009-09-30 18:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-30 18:39 . 2009-09-30 18:39 -------- d-----w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2009-09-30 18:39 . 2009-09-30 18:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-28 17:22 . 2009-09-28 17:22 -------- d-----w- c:\program files\VS Revo Group
2009-09-27 16:49 . 2009-09-27 16:49 2 --shatr- c:\windows\winstart.bat
2009-09-27 16:49 . 2009-09-28 17:26 -------- d-----w- c:\program files\UnHackMe
2009-09-27 16:47 . 2009-09-27 16:47 -------- d-----w- c:\program files\Trend Micro
2009-09-26 20:14 . 2009-09-26 20:14 -------- d-----w- c:\program files\linksador
2009-09-24 19:58 . 2009-09-24 19:58 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2009-09-24 19:58 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-24 19:58 . 2009-09-24 19:58 -------- d-----w- c:\programdata\Malwarebytes
2009-09-24 19:58 . 2009-09-24 19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-24 19:58 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 19:28 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-17 19:28 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-17 19:27 . 2009-09-17 19:27 -------- d-----w- c:\program files\iPod
2009-09-17 19:27 . 2009-09-17 19:28 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-17 19:26 . 2009-09-17 19:26 -------- d-----w- c:\program files\QuickTime
2009-09-10 07:01 . 2009-09-10 07:01 -------- d-sh--w- c:\windows\system32\%APPDATA%
2009-09-09 23:58 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 23:58 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 23:58 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 23:58 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-03 01:13 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-03 01:13 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 20:31 . 2009-06-09 22:42 -------- d-----w- c:\program files\Java
2009-09-28 20:09 . 2009-04-15 04:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-23 15:05 . 2009-04-15 16:51 -------- d-----w- c:\users\Owner\AppData\Roaming\Apple Computer
2009-09-17 19:28 . 2009-04-15 16:50 -------- d-----w- c:\program files\iTunes
2009-09-17 19:27 . 2009-04-15 16:47 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-10 07:01 . 2009-04-15 15:35 -------- d-----w- c:\programdata\Microsoft Help
2009-09-03 07:10 . 2009-04-15 04:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-03 07:10 . 2009-04-15 04:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-03 07:10 . 2009-04-15 04:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-25 00:36 . 2009-06-09 22:44 -------- d-----w- c:\users\Owner\AppData\Roaming\LimeWire
2009-08-18 19:50 . 2009-08-18 19:50 3584 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-08-18 19:50 . 2009-08-18 19:50 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-18 19:49 . 2009-08-18 19:49 -------- d-----w- c:\program files\MSECACHE
2009-08-14 15:53 . 2009-09-09 23:57 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 23:57 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 23:57 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 23:57 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 23:57 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 23:57 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 23:57 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-07 17:18 . 2009-08-07 17:18 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2009-08-07 02:24 . 2009-10-01 20:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-10-01 20:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:23 . 2009-10-01 20:24 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 01:45 . 2009-10-01 20:24 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-08-06 23:23 . 2009-10-01 20:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-06 22:44 . 2009-10-01 20:23 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-07-31 19:23 . 2009-06-18 14:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-30 15:38 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 15:38 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 15:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 15:38 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-13 16:16 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-13 16:16 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-13 16:16 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-13 16:16 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-13 16:16 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-11 19:01 . 2009-09-09 23:57 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-09 23:57 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-09 23:57 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-09 23:57 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-09 23:57 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-26_23.02.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-01 20:24 . 2009-08-07 02:24 44768 c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.4.7600.226_none_e979223d5b9c821b\wups2.dll
+ 2009-10-01 20:24 . 2009-08-07 02:24 53472 c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.4.7600.226_none_e979223d5b9c821b\wuauclt.exe
+ 2009-10-01 20:23 . 2009-08-06 22:44 33792 c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.4.7600.226_none_79951cca15140d1a\wuapp.exe
+ 2009-10-01 20:23 . 2009-08-07 02:24 35552 c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.4.7600.226_none_cf8a5c896f5cdb1e\wups.dll
+ 2009-10-01 20:23 . 2009-08-07 01:44 87552 c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.4.7600.226_none_cf8a5c896f5cdb1e\wudriver.dll
+ 2008-01-21 01:56 . 2009-09-30 21:20 35844 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2009-09-30 21:20 62836 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-04-15 03:18 . 2009-10-01 20:25 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-15 03:18 . 2009-09-23 22:24 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-15 03:18 . 2009-10-01 20:25 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-15 03:18 . 2009-09-23 22:24 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-15 03:18 . 2009-09-23 22:24 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-15 03:18 . 2009-10-01 20:25 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-06 23:23 . 2009-08-06 23:23 73288 c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
+ 2009-09-30 18:40 . 2009-09-30 18:40 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-09-30 18:40 . 2009-09-30 18:40 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-04-15 03:22 . 2009-09-30 21:20 6572 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2636888863-421968635-2501487097-1000_UserData.bin
+ 2009-09-30 21:19 . 2009-09-30 21:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-26 21:07 . 2009-09-26 21:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-26 21:07 . 2009-09-26 21:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-30 21:19 . 2009-09-30 21:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-30 18:40 . 2009-09-30 18:40 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-10-01 20:23 . 2009-08-06 23:23 171608 c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.4.7600.226_none_79951cca15140d1a\wuwebv.dll
+ 2009-10-01 20:23 . 2009-08-07 02:23 575704 c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.4.7600.226_none_cf8a5c896f5cdb1e\wuapi.dll
+ 2009-04-15 15:17 . 2009-10-01 22:33 218332 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-09-26 22:50 598588 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-30 21:25 598588 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-26 22:50 102194 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-30 21:25 102194 c:\windows\System32\perfc009.dat
+ 2009-09-30 20:31 . 2009-07-31 19:23 149280 c:\windows\System32\javaws.exe
+ 2009-09-30 20:31 . 2009-07-31 19:23 145184 c:\windows\System32\javaw.exe
+ 2009-09-30 20:31 . 2009-07-31 19:23 145184 c:\windows\System32\java.exe
+ 2009-10-01 20:24 . 2009-08-07 01:45 2421760 c:\windows\winsxs\x86_microsoft-windows-windowsupdateclient-ui_31bf3856ad364e35_7.4.7600.226_none_672645e7fba0c4cc\wucltux.dll
+ 2009-10-01 20:24 . 2009-08-07 02:23 1929952 c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.4.7600.226_none_e979223d5b9c821b\wuaueng.dll
+ 2006-11-02 10:22 . 2009-10-01 20:25 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-09-10 15:56 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-09-30 18:40 . 2009-09-30 18:40 1583616 c:\windows\Installer\fa1a316.msi
+ 2009-10-01 23:15 . 2009-10-01 23:15 6508544 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2009-05-03 23:25 . 2009-10-01 20:24 151085494 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-03 2007832]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk.disabled [2009-4-30 2001]
QuickBooks Update Agent.lnk.disabled [2009-4-16 2301]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"<NO NAME>"=
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Intuit SyncManager"=c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Broadcom Wireless Manager UI"=c:\windows\system32\WLTRAY.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:6a,af,c4,ae,9f,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2636888863-421968635-2501487097-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F3E59FB9-99E0-4A86-96CC-ABD59FA8BA61}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{1D0C967E-A97B-4C83-8516-D9177B1FF931}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C3E882A5-8273-4B5D-923A-46DED7C15086}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B150772C-6D2F-47FD-800B-22EC74071889}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F9898FA1-230A-4D0C-855D-29D2753DA8B2}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{295A8AA7-93B3-4432-9926-CB19ADEF08C9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D0C6A1DD-0CCC-48D8-9EFF-D8E142C0C126}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4392FDE1-52BC-4539-8D41-AF2DB3DBBA92}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{8109F944-AA6E-451A-98F0-7D7B4FB90BA4}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{241576A2-075B-4316-891C-394DBF4AF439}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{CE97DB93-5F63-4A03-9AB7-003932F96A7A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0B45D361-36A2-4194-BCB4-64EFD047E407}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [4/15/2009 12:36 AM 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/15/2009 12:36 AM 297752]
R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 cpuz128;cpuz128;c:\program files\PC Wizard 2008\pcwiz32.sys [4/21/2009 7:49 PM 7808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2636888863-421968635-2501487097-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-15 06:17]

2009-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2636888863-421968635-2501487097-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-15 06:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dnup6c7l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\users\Owner\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 19:22
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-10-01 19:25
ComboFix-quarantined-files.txt 2009-10-01 23:25
ComboFix2.txt 2009-09-30 21:10
ComboFix3.txt 2009-09-26 23:04

Pre-Run: 96,136,314,880 bytes free
Post-Run: 96,092,811,264 bytes free

247 --- E O F --- 2009-09-10 07:04

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:16 AM

Posted 13 October 2009 - 07:42 AM

Please download hijackthis from here.
http://www.bleepingcomputer.com/files/hijackthis.php

Run it and post the log please.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 gtholiday

gtholiday
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 13 October 2009 - 03:21 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:21 PM, on 10/13/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Intuit\QuickBooks 2009\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Users\Owner\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-21-2636888863-421968635-2501487097-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'QBDataServiceUser19')
O4 - Startup: CCC.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk.disabled
O4 - Global Startup: QuickBooks Update Agent.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB19 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 5944 bytes

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:16 AM

Posted 13 October 2009 - 08:05 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)



Reboot your computer and check to see if you are still being redirected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 gtholiday

gtholiday
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 October 2009 - 10:13 AM

The problem still exists. These two things still exist unfortunately when I ran HiJackThis again

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Thanks

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:16 AM

Posted 14 October 2009 - 05:52 PM

What a stinker!


Download SysProt AntiRootkit

Extract onto your Desktop, which should create a SysProt folder on your Desktop.
  • Open the SysProt folder by double clicking it
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box, make sure to select and unselect the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Attach the SysProtLog.txt log file to your next message.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 gtholiday

gtholiday
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 October 2009 - 06:01 PM

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8F5CA000
Module End: 8F5D5000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 8F5D5000
Module End: 8F5DD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 8F5DD000
Module End: 8F5EE000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\SPP
Status: Access denied

Object: C:\System Volume Information\SystemRestore
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\{0dbc2a84-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{0dbc2a9b-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{0dbc2a9f-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{0dbc2aa7-ab8e-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{181bf4bf-afa4-11de-9ac5-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{181bf4c4-afa4-11de-9ac5-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{1a1e6410-b43f-11de-9f29-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{1a1e6415-b43f-11de-9f29-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{604c9a4c-ab00-11de-80a0-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{623f032a-aee2-11de-a269-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{70eefcb9-b03f-11de-b84a-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{70eefcc3-b03f-11de-b84a-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{7e521ab9-ac75-11de-a2c7-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{9be70f9d-adf7-11de-bf45-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{aaf594fb-aeee-11de-b981-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{d6a212bf-ae06-11de-a32e-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{edf6f214-a9ff-11de-a894-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{edf6f23a-a9ff-11de-a894-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{fa364b29-b443-11de-9563-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{fa364bc8-b443-11de-9563-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{fa8688f3-a252-11de-8392-0019b9591b2f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:16 AM

Posted 15 October 2009 - 07:43 AM

A couple quick questions...

Do you get redirected with Firefox also?

Are you using a router with this computer?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 gtholiday

gtholiday
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 15 October 2009 - 12:18 PM

I am getting redirected with IE and firefox but not with chrome. I am using a wireless router with this computer.

Thanks

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:16 AM

Posted 16 October 2009 - 08:39 AM

Let's reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.


Reboot your computer and then check to see if you are still being redirected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 gtholiday

gtholiday
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 16 October 2009 - 03:16 PM

Still being redirected.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:16 AM

Posted 17 October 2009 - 07:22 AM

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.


=========================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 gtholiday

gtholiday
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 19 October 2009 - 12:38 PM

I ran that program and I got a BSOD, but I don't think it was related. It said PFN_LIST_CORRUPT. 0x0000004E (0x0000007 etc with 0's). I think that error means bad RAM or driver(s)
Should I run it again?

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users