Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 lilbrat0326

lilbrat0326

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 13 December 2009 - 10:55 PM

I've had the Google redirect virus for about 2 weeks now and I cant get rid of it. I have both Internet Explorer and Firefox, i ONLY use Firefox. When doing a Google search, I keep getting redirected to random websites and even get pop ups. I installed Malwarebyes, SUPER Anti Spyware, Spyware Doctor, and AVG. None of these helped. So, I downloaded HiJackThis but I am not sure what I should be looking for. Can somebody please help me? The log is attached. Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:55 AM

Posted 14 December 2009 - 08:50 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lilbrat0326

lilbrat0326
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 14 December 2009 - 05:23 PM

Thanks for looking into the issue Sam.

Here are the OTL logs:

OTL logfile created on: 12/14/2009 1:37:56 PM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.25 Gb Total Physical Memory | 0.39 Gb Available Physical Memory | 30.98% Memory free
2.98 Gb Paging File | 2.03 Gb Available in Paging File | 68.25% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 121.74 Gb Free Space | 81.68% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 463.00 Gb Free Space | 99.41% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-20877A7DDE
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/14 13:37:03 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\Downloads\OTL(2).exe
PRC - [2009/12/12 17:19:12 | 02,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/23 08:43:26 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/18 12:47:14 | 01,243,088 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/11/06 14:29:22 | 01,141,712 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2009/11/02 22:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/30 11:18:16 | 00,359,624 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2009/08/23 12:49:58 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/23 12:49:42 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/23 12:49:13 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/19 00:23:16 | 00,049,968 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2008/11/20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/11/06 12:33:00 | 00,041,264 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2008/09/08 10:21:05 | 00,112,072 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2008/09/08 10:19:23 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/01/25 00:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2007/11/01 18:12:38 | 00,582,992 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2007/11/01 18:12:38 | 00,265,040 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcuimgr.exe
PRC - [2007/09/25 00:11:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2007/08/31 01:41:37 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/06/25 09:56:42 | 00,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/09 10:09:58 | 00,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
PRC - [2007/03/08 14:42:42 | 00,256,096 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\RedirSvc\RedirSvc.exe
PRC - [2007/02/13 11:09:12 | 00,540,776 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
PRC - [2007/01/16 17:03:36 | 00,362,064 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
PRC - [2007/01/15 14:16:00 | 00,839,720 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2006/02/09 19:51:48 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/06/02 14:54:34 | 00,086,606 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2004/10/14 13:42:54 | 01,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/08/12 09:10:28 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2004/04/15 04:18:38 | 00,053,248 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
PRC - [2004/04/15 03:32:22 | 00,270,336 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
PRC - [2004/04/15 03:26:50 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2004/04/15 03:20:38 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE


========== Modules (SafeList) ==========

MOD - [2009/12/14 13:37:03 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\Downloads\OTL(2).exe
MOD - [2009/10/30 11:18:16 | 00,147,024 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\PCTGMhk.dll
MOD - [2009/09/09 22:54:58 | 00,155,184 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\smum32.dll
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/11/06 14:29:22 | 01,141,712 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdcoreservice)
SRV - [2009/10/30 11:18:16 | 00,359,624 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/08/23 12:49:13 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/04/28 17:54:56 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/09/08 10:19:23 | 00,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/01/25 00:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2007/10/05 16:33:26 | 00,341,328 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\McAfee\EmProxy\emproxy.exe -- (Emproxy)
SRV - [2007/06/25 09:56:42 | 00,144,960 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2007/03/08 14:42:42 | 00,256,096 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\RedirSvc\RedirSvc.exe -- (McRedirector)
SRV - [2007/02/13 11:09:12 | 00,540,776 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe -- (McAfee HackerWatch Service)
SRV - [2007/01/25 17:01:58 | 00,643,664 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2007/01/16 17:03:36 | 00,362,064 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2007/01/15 14:16:00 | 00,839,720 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2006/11/03 17:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/02/09 20:05:00 | 00,520,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2006/02/09 19:51:48 | 00,405,504 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/06/02 14:54:34 | 00,086,606 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2004/04/15 03:26:50 | 00,303,104 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2002/12/31 11:00:00 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..\URLSearchHook: *{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\S-1-5-21-2052111302-1757981266-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\S-1-5-21-2052111302-1757981266-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.424
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/11/30 20:41:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/11/03 14:23:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/10/06 20:12:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/12 20:13:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/30 18:07:20 | 00,000,000 | ---D | M]

[2009/04/30 10:22:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2009/04/30 10:22:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/12/14 00:03:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3chxq8dc.default\extensions
[2007/11/12 00:06:46 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3chxq8dc.default\searchplugins\siteadvisor.xml
[2009/08/07 00:50:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/12 00:06:21 | 00,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/04/16 12:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: (21 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\Program Files\McAfee\VirusScan\scriptcl.dll (McAfee, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Viewpoint Toolbar BHO) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll (Viewpoint Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Viewpoint Toolbar) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll (Viewpoint Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Dell AIO Printer A920] C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe (Dell Computer Corporation)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-18..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004..\Run: [SetupName] C:\DOCUME~1\user\APPLIC~1\JUGSCH~1\deleteaxis.exe File not found
O4 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004..\Run: [ttool] C:\WINDOWS\essledv.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..Trusted Domains: gamecolony.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..Trusted Domains: gamecolony.com ([secure] https in Trusted sites)
O15 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..Trusted Domains: gamecolony.com ([secure2] https in Trusted sites)
O15 - HKU\S-1-5-21-2052111302-1757981266-725345543-1004\..Trusted Domains: gamecolony.com ([www] http in Trusted sites)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/Facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/Facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://go.divx.com/plugin/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} http://rockyou.com/RockYouImageUploader.cab (RockYou Image Uploader Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.254.2 167.206.254.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/23 17:37:25 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/08/23 13:23:51 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (58268769037844480)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/12 18:07:39 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2009/12/12 17:26:32 | 00,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2009/12/12 17:26:31 | 01,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2009/12/12 17:26:31 | 00,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2009/12/12 17:24:37 | 00,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/12/12 17:24:15 | 00,207,792 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/12/12 17:24:14 | 00,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/12/12 17:23:59 | 00,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/12/12 17:23:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\PC Tools
[2009/12/12 17:23:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/12/12 17:09:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NSS
[2009/12/12 17:09:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NSS\0203000.02C
[2009/12/12 17:08:41 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/12/12 00:54:42 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/12/12 00:54:42 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/11/30 20:08:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/30 20:08:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
[2009/11/30 20:08:24 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/30 20:08:05 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/11/30 18:18:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\Downloads
[2009/09/15 07:10:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/07/31 20:55:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/06/23 11:09:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
[2009/04/21 19:22:58 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/04/21 19:22:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/04/21 19:22:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/04/21 19:22:57 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/01/31 12:29:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/10/25 23:10:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2007/10/25 23:10:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2007/10/25 23:10:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/14 13:37:01 | 00,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/14 13:37:01 | 00,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/14 13:37:00 | 00,443,556 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/14 13:34:22 | 00,012,142 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/14 13:31:12 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/14 13:31:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/14 10:47:07 | 46,607,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/14 10:47:07 | 00,123,841 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/13 22:53:07 | 00,002,439 | ---- | M] () -- C:\Documents and Settings\user\Desktop\HiJackThis.lnk
[2009/12/13 17:46:36 | 04,878,336 | ---- | M] () -- C:\Documents and Settings\user\ntuser.dat
[2009/12/13 17:46:36 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\user\ntuser.ini
[2009/12/13 17:31:00 | 00,000,556 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for user.job
[2009/12/13 17:30:59 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/12 20:55:39 | 03,712,656 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2009/12/12 18:19:02 | 00,000,021 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/12 17:24:06 | 00,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/12/12 17:13:28 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/12 01:20:44 | 00,007,065 | ---- | M] () -- C:\Documents and Settings\user\Desktop\billing_308577205_4b23361020240.pdf
[2009/12/11 14:51:52 | 00,045,056 | ---- | M] () -- C:\Documents and Settings\user\Desktop\sched.ppt
[2009/12/08 13:34:43 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ans ec.doc
[2009/12/06 22:37:03 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/30 20:08:27 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/30 18:07:23 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/12 18:07:45 | 00,002,439 | ---- | C] () -- C:\Documents and Settings\user\Desktop\HiJackThis.lnk
[2009/12/12 17:26:33 | 00,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2009/12/12 17:24:37 | 00,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2009/12/12 17:24:15 | 00,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2009/12/12 17:24:15 | 00,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2009/12/12 17:24:06 | 00,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/12/12 17:23:59 | 00,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2009/12/12 01:20:44 | 00,007,065 | ---- | C] () -- C:\Documents and Settings\user\Desktop\billing_308577205_4b23361020240.pdf
[2009/12/12 00:57:38 | 01,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2009/12/12 00:57:38 | 00,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2009/12/12 00:57:38 | 00,000,880 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2009/12/12 00:57:38 | 00,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2009/12/07 19:28:21 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ans ec.doc
[2009/12/07 10:54:26 | 04,878,336 | ---- | C] () -- C:\Documents and Settings\user\ntuser.dat
[2009/11/30 20:08:27 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2008/02/20 21:05:44 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/02/20 21:04:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/02/20 21:04:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/02/20 21:03:24 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/11/06 18:59:49 | 00,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/09 13:03:42 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/09/01 18:29:39 | 00,055,296 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/29 21:45:48 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/27 21:57:25 | 00,000,102 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2007/08/27 21:57:05 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbkvs.dll
[2007/08/27 21:55:47 | 00,000,255 | ---- | C] () -- C:\WINDOWS\System32\dlbkcoin.ini
[2007/08/27 11:31:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2007/08/27 01:25:56 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/08/27 01:06:04 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\fusioncache.dat
[2007/08/24 11:07:33 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2006/04/29 22:34:04 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\WbxRMenu.dll
[2006/04/13 21:18:24 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\atonres.dll
[2006/04/13 21:18:24 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\WbxMSAI.dll
[2006/04/13 21:18:24 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\atonecli.dll
[2002/12/31 11:00:00 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/07/06 16:43:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/06/23 12:19:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2007/08/27 21:57:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2007/09/07 19:33:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Defy Memo Find Trust
[2009/03/22 20:20:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2009/12/14 13:48:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/19 07:04:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/08 12:40:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2007/12/25 20:14:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\anna\Application Data\acccore
[2009/06/06 12:58:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\anna\Application Data\AVGTOOLBAR
[2007/12/25 20:15:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\anna\Application Data\Viewpoint
[2009/06/23 11:09:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
[2009/07/31 20:55:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2007/08/26 18:36:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\acccore
[2007/08/26 18:36:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AIM
[2009/05/15 11:27:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVGTOOLBAR
[2007/08/27 01:06:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\EagleEyeOS
[2009/03/28 15:22:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Jugs chin ford
[2009/03/22 20:21:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Juniper Networks
[2008/09/30 13:02:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Leadertech
[2009/11/24 16:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\LimeWire
[2007/08/27 19:07:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Viewpoint
[2008/05/15 00:15:19 | 00,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/04/01 00:01:04 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2009/12/12 18:59:12 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/12 18:59:12 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/12 08:57:17 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/12 08:57:17 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2004/08/12 09:11:50 | 00,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/12 09:02:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/12 09:02:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/12 09:04:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/12 09:04:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 179 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


OTL Extras logfile created on: 12/14/2009 1:37:56 PM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.25 Gb Total Physical Memory | 0.39 Gb Available Physical Memory | 30.98% Memory free
2.98 Gb Paging File | 2.03 Gb Available in Paging File | 68.25% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 121.74 Gb Free Space | 81.68% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 463.00 Gb Free Space | 99.41% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-20877A7DDE
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\BitDownload\BitDownload.exe" = C:\Program Files\BitDownload\BitDownload.exe:*:Enabled:Warez3 -- File not found
"C:\Program Files\MySpace\IM\MySpaceIM.exe" = C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Camera Window DS
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4DBBF091-FACD-422C-B43C-786335BD5398}" = MovieEdit Task
"{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}" = Camera Window DVC
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}" = Camera Window MC
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}" = PhotoStitch
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{901F8ED7-13E8-43EF-B738-2FE89B0588EB}" = Camera Access Library
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1D0D14A-B776-4907-BC00-5149F2298086}" = Camera Support Core Library
"{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}" = Camera Window DVC
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = RAW Image Task 2.2
"{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}" = Canon PhotoRecord
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX (E)
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"AIM_6" = AIM 6
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AVG8Uninstall" = AVG 8.5
"Browser Defender_is1" = Browser Defender 2.0.6.11
"Dell AIO Printer A920" = Dell AIO Printer A920
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Canon Camera Window DSLR 5 for ZoomBrowser EX
"InstallShield_{4DBBF091-FACD-422C-B43C-786335BD5398}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"InstallShield_{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}" = Canon Camera Window MC 6 for ZoomBrowser EX
"InstallShield_{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{901F8ED7-13E8-43EF-B738-2FE89B0588EB}" = Canon Camera Access Library
"InstallShield_{A1D0D14A-B776-4907-BC00-5149F2298086}" = Canon Camera Support Core Library
"InstallShield_{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"InstallShield_{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = Canon RAW Image Task for ZoomBrowser EX
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"LimeWire" = LimeWire PRO 5.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSC" = McAfee SecurityCenter
"Neoteris_Secure_Application_Manager" = Juniper Networks Secure Application Manager
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSS" = Norton Security Scan
"PROSet" = Intel® PRO Network Adapters and Drivers
"Spyware Doctor" = Spyware Doctor 7.0
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"Viewpoint Toolbar" = Viewpoint Toolbar
"ViewpointMediaPlayer" = Viewpoint Media Player

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2052111302-1757981266-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Term_Services" = Juniper Terminal Services Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/28/2009 11:44:59 PM | Computer Name = USER-20877A7DDE | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 11/28/2009 11:44:59 PM | Computer Name = USER-20877A7DDE | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 11/28/2009 11:46:49 PM | Computer Name = USER-20877A7DDE | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BE from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 11/28/2009 11:47:07 PM | Computer Name = USER-20877A7DDE | Source = Application Error | ID = 1000
Description = Faulting application exvssysguard.exe, version 0.0.0.0, faulting module
exvssysguard.exe, version 0.0.0.0, fault address 0x0000389e.

Error - 11/29/2009 11:07:05 PM | Computer Name = USER-20877A7DDE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 11/29/2009 11:52:27 PM | Computer Name = USER-20877A7DDE | Source = Application Hang | ID = 1002
Description = Hanging application avgui.exe, version 8.5.0.426, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/12/2009 1:59:30 AM | Computer Name = USER-20877A7DDE | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 2796 (0xaec) Thread address : 0x120C7621 Thread message : Build VSCORE.13.3.2.116
/ 5200.2160 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\All
Users\Application Data\avg8\update\download\u7iavi2550u25486r.bin by C:\Program
Files\Malwarebytes' Anti-Malware\mbam.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0)

7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 12/12/2009 5:57:05 PM | Computer Name = USER-20877A7DDE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/12/2009 6:19:08 PM | Computer Name = USER-20877A7DDE | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3088 (0xc10) Thread address : 0x120CD63E Thread message : Build VSCORE.13.3.2.116
/ 5200.2160 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\All
Users\Application Data\avg8\update\download\x8xplsc_157o8.bin by C:\Program Files\AVG\AVG8\avgupd.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 12/12/2009 6:54:31 PM | Computer Name = USER-20877A7DDE | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3984 (0xf90) Thread address : 0x120CBB90 Thread message : Build VSCORE.13.3.2.116
/ 5200.2160 Object being scanned = \Device\HarddiskVolume1\DOCUMENTS AND SETTINGS\ALL
USERS\APPLICATION DATA\AVG8\UPDATE\DOWNLOAD\U7IAVI2550U25486R.BIN by C:\Program
Files\Spyware Doctor\pctsSvc.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0)

7004(0)(0) 5006(0)(0) 5004(0)(0)

[ System Events ]
Error - 12/12/2009 9:51:05 PM | Computer Name = USER-20877A7DDE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 12/12/2009 9:54:41 PM | Computer Name = USER-20877A7DDE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/12/2009 9:54:46 PM | Computer Name = USER-20877A7DDE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/12/2009 9:55:41 PM | Computer Name = USER-20877A7DDE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/12/2009 9:56:30 PM | Computer Name = USER-20877A7DDE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/12/2009 9:56:30 PM | Computer Name = USER-20877A7DDE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/13/2009 6:47:40 PM | Computer Name = USER-20877A7DDE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/13/2009 6:47:40 PM | Computer Name = USER-20877A7DDE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/14/2009 2:31:08 PM | Computer Name = USER-20877A7DDE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/14/2009 2:31:08 PM | Computer Name = USER-20877A7DDE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >



I attached the GMER Log. Thanks.

Attached Files

  • Attached File  GMER.txt   423.52KB   16 downloads


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:55 AM

Posted 14 December 2009 - 09:09 PM

We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 lilbrat0326

lilbrat0326
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 14 December 2009 - 09:47 PM

I did not get a message that said "Hidden service detected". Here's the log:

21:38:11:781 1908 ForceUnloadDriver: NtUnloadDriver error 2
21:38:11:781 1908 ForceUnloadDriver: NtUnloadDriver error 2
21:38:11:781 1908 ForceUnloadDriver: NtUnloadDriver error 2
21:38:11:796 1908 main: Driver KLMD successfully dropped
21:38:12:234 1908 main: Driver KLMD successfully loaded
21:38:12:234 1908
Scanning Registry ...
21:38:12:234 1908 ScanServices: Searching service UACd.sys
21:38:12:234 1908 ScanServices: Open/Create key error 2
21:38:12:234 1908 ScanServices: Searching service TDSSserv.sys
21:38:12:234 1908 ScanServices: Open/Create key error 2
21:38:12:234 1908 ScanServices: Searching service gaopdxserv.sys
21:38:12:234 1908 ScanServices: Open/Create key error 2
21:38:12:234 1908 ScanServices: Searching service gxvxcserv.sys
21:38:12:234 1908 ScanServices: Open/Create key error 2
21:38:12:234 1908 ScanServices: Searching service MSIVXserv.sys
21:38:12:234 1908 ScanServices: Open/Create key error 2
21:38:12:234 1908 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
21:38:12:625 1908 UnhookRegistry: Kernel local addr: 10D0000
21:38:12:625 1908 UnhookRegistry: KeServiceDescriptorTable addr: 115A500
21:38:12:671 1908 UnhookRegistry: KiServiceTable addr: 10DD8B0
21:38:12:671 1908 UnhookRegistry: NtEnumerateKey service number (local): 47
21:38:12:671 1908 UnhookRegistry: NtEnumerateKey local addr: 11713A4
21:38:12:671 1908 KLMD_OpenDevice: Trying to open KLMD device
21:38:12:671 1908 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
21:38:12:671 1908 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
21:38:12:671 1908 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]
21:38:12:671 1908 UnhookRegistry: NtEnumerateKey service number (kernel): 47
21:38:12:671 1908 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]
21:38:12:671 1908 UnhookRegistry: NtEnumerateKey real addr: 805783A4
21:38:12:671 1908 UnhookRegistry: NtEnumerateKey calc addr: 805783A4
21:38:12:671 1908 UnhookRegistry: No SDT hooks found on NtEnumerateKey
21:38:12:671 1908 KLMD_ReadMem: Trying to ReadMemory 0x805783A4[0xA]
21:38:12:671 1908 UnhookRegistry: No splicing found on NtEnumerateKey
21:38:12:671 1908
Scanning Kernel memory ...
21:38:12:671 1908 KLMD_OpenDevice: Trying to open KLMD device
21:38:12:687 1908 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
21:38:12:687 1908 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
21:38:12:687 1908 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8974A900
21:38:12:687 1908 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
21:38:12:687 1908 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 894A7030
21:38:12:687 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 894A7030
21:38:12:687 1908 KLMD_ReadMem: Trying to ReadMemory 0x894A7030[0x38]
21:38:12:687 1908 DetectCureTDL3: DRIVER_OBJECT addr: 8974A900
21:38:12:687 1908 KLMD_ReadMem: Trying to ReadMemory 0x8974A900[0xA8]
21:38:12:687 1908 KLMD_ReadMem: Trying to ReadMemory 0xE1017290[0x208]
21:38:12:687 1908 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:38:12:687 1908 DetectCureTDL3: IrpHandler (0) addr: F763DC30
21:38:12:687 1908 DetectCureTDL3: IrpHandler (1) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (2) addr: F763DC30
21:38:12:687 1908 DetectCureTDL3: IrpHandler (3) addr: F7637D9B
21:38:12:687 1908 DetectCureTDL3: IrpHandler (4) addr: F7637D9B
21:38:12:687 1908 DetectCureTDL3: IrpHandler (5) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (6) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (7) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (8) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (9) addr: F7638366
21:38:12:687 1908 DetectCureTDL3: IrpHandler (10) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (11) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (12) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (13) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (14) addr: F763844D
21:38:12:687 1908 DetectCureTDL3: IrpHandler (15) addr: F763BFC3
21:38:12:687 1908 DetectCureTDL3: IrpHandler (16) addr: F7638366
21:38:12:687 1908 DetectCureTDL3: IrpHandler (17) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (18) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (19) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (20) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (21) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (22) addr: F7639EF3
21:38:12:687 1908 DetectCureTDL3: IrpHandler (23) addr: F763EA24
21:38:12:687 1908 DetectCureTDL3: IrpHandler (24) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (25) addr: 804F9709
21:38:12:687 1908 DetectCureTDL3: IrpHandler (26) addr: 804F9709
21:38:12:687 1908 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
21:38:12:687 1908 KLMD_ReadMem: DeviceIoControl error 1
21:38:12:687 1908 TDL3_StartIoHookDetect: Unable to get StartIo handler code
21:38:12:687 1908 TDL3_FileDetect: Processing driver: Disk
21:38:12:687 1908 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
21:38:12:687 1908 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
21:38:12:687 1908 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
21:38:12:703 1908 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 88E80AB8
21:38:12:703 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88E80AB8
21:38:12:703 1908 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8906A020
21:38:12:703 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8906A020
21:38:12:703 1908 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 88F3BEA0
21:38:12:703 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88F3BEA0
21:38:12:703 1908 KLMD_ReadMem: Trying to ReadMemory 0x88F3BEA0[0x38]
21:38:12:703 1908 DetectCureTDL3: DRIVER_OBJECT addr: 88F3BDA0
21:38:12:703 1908 KLMD_ReadMem: Trying to ReadMemory 0x88F3BDA0[0xA8]
21:38:12:703 1908 KLMD_ReadMem: Trying to ReadMemory 0xE1A3B4B0[0x208]
21:38:12:703 1908 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
21:38:12:703 1908 DetectCureTDL3: IrpHandler (0) addr: A25DC218
21:38:12:703 1908 DetectCureTDL3: IrpHandler (1) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (2) addr: A25DC218
21:38:12:703 1908 DetectCureTDL3: IrpHandler (3) addr: A25DC23C
21:38:12:703 1908 DetectCureTDL3: IrpHandler (4) addr: A25DC23C
21:38:12:703 1908 DetectCureTDL3: IrpHandler (5) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (6) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (7) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (8) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (9) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (10) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (11) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (12) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (13) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (14) addr: A25DC180
21:38:12:703 1908 DetectCureTDL3: IrpHandler (15) addr: A25D79E6
21:38:12:703 1908 DetectCureTDL3: IrpHandler (16) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (17) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (18) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (19) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (20) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (21) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (22) addr: A25DB5F0
21:38:12:703 1908 DetectCureTDL3: IrpHandler (23) addr: A25D9A6E
21:38:12:703 1908 DetectCureTDL3: IrpHandler (24) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (25) addr: 804F9709
21:38:12:703 1908 DetectCureTDL3: IrpHandler (26) addr: 804F9709
21:38:12:703 1908 KLMD_ReadMem: Trying to ReadMemory 0xA25D8F26[0x400]
21:38:12:703 1908 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
21:38:12:703 1908 TDL3_FileDetect: Processing driver: USBSTOR
21:38:12:703 1908 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
21:38:12:703 1908 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
21:38:12:703 1908 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
21:38:12:734 1908 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 897269F0
21:38:12:734 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 897269F0
21:38:12:734 1908 KLMD_ReadMem: Trying to ReadMemory 0x897269F0[0x38]
21:38:12:734 1908 DetectCureTDL3: DRIVER_OBJECT addr: 8974A900
21:38:12:734 1908 KLMD_ReadMem: Trying to ReadMemory 0x8974A900[0xA8]
21:38:12:734 1908 KLMD_ReadMem: Trying to ReadMemory 0xE1017290[0x208]
21:38:12:734 1908 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:38:12:734 1908 DetectCureTDL3: IrpHandler (0) addr: F763DC30
21:38:12:734 1908 DetectCureTDL3: IrpHandler (1) addr: 804F9709
21:38:12:734 1908 DetectCureTDL3: IrpHandler (2) addr: F763DC30
21:38:12:734 1908 DetectCureTDL3: IrpHandler (3) addr: F7637D9B
21:38:12:734 1908 DetectCureTDL3: IrpHandler (4) addr: F7637D9B
21:38:12:734 1908 DetectCureTDL3: IrpHandler (5) addr: 804F9709
21:38:12:734 1908 DetectCureTDL3: IrpHandler (6) addr: 804F9709
21:38:12:734 1908 DetectCureTDL3: IrpHandler (7) addr: 804F9709
21:38:12:734 1908 DetectCureTDL3: IrpHandler (8) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (9) addr: F7638366
21:38:12:750 1908 DetectCureTDL3: IrpHandler (10) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (11) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (12) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (13) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (14) addr: F763844D
21:38:12:750 1908 DetectCureTDL3: IrpHandler (15) addr: F763BFC3
21:38:12:750 1908 DetectCureTDL3: IrpHandler (16) addr: F7638366
21:38:12:750 1908 DetectCureTDL3: IrpHandler (17) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (18) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (19) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (20) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (21) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (22) addr: F7639EF3
21:38:12:750 1908 DetectCureTDL3: IrpHandler (23) addr: F763EA24
21:38:12:750 1908 DetectCureTDL3: IrpHandler (24) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (25) addr: 804F9709
21:38:12:750 1908 DetectCureTDL3: IrpHandler (26) addr: 804F9709
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
21:38:12:750 1908 KLMD_ReadMem: DeviceIoControl error 1
21:38:12:750 1908 TDL3_StartIoHookDetect: Unable to get StartIo handler code
21:38:12:750 1908 TDL3_FileDetect: Processing driver: Disk
21:38:12:750 1908 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
21:38:12:750 1908 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
21:38:12:750 1908 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
21:38:12:750 1908 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 89739AB8
21:38:12:750 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89739AB8
21:38:12:750 1908 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 89749920
21:38:12:750 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89749920
21:38:12:750 1908 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 896EBB00
21:38:12:750 1908 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896EBB00
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0x896EBB00[0x38]
21:38:12:750 1908 DetectCureTDL3: DRIVER_OBJECT addr: 8968DAB0
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0x8968DAB0[0xA8]
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0x8974AB00[0x38]
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0x8974C720[0xA8]
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0xE14AB0C0[0x208]
21:38:12:750 1908 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
21:38:12:750 1908 DetectCureTDL3: IrpHandler (0) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (1) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (2) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (3) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (4) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (5) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (6) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (7) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (8) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (9) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (10) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (11) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (12) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (13) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (14) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (15) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (16) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (17) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (18) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (19) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (20) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (21) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (22) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (23) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (24) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (25) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: IrpHandler (26) addr: 896F1618
21:38:12:750 1908 DetectCureTDL3: All IRP handlers pointed to one addr: 896F1618
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0x896F1618[0x400]
21:38:12:750 1908 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
21:38:12:750 1908 Driver "atapi" Irp handler infected by TDSS rootkit ... 21:38:12:750 1908 KLMD_WriteMem: Trying to WriteMemory 0x896F167D[0xD]
21:38:12:750 1908 cured
21:38:12:750 1908 KLMD_ReadMem: Trying to ReadMemory 0x896F14BF[0x400]
21:38:12:750 1908 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1
21:38:12:750 1908 Driver "atapi" StartIo handler infected by TDSS rootkit ... 21:38:12:750 1908 TDL3_StartIoHookCure: Number of patches 1
21:38:12:750 1908 KLMD_WriteMem: Trying to WriteMemory 0x896F15B6[0x6]
21:38:12:750 1908 cured
21:38:12:750 1908 TDL3_FileDetect: Processing driver: atapi
21:38:12:750 1908 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
21:38:12:750 1908 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
21:38:12:750 1908 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
21:38:12:796 1908 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 21:38:12:796 1908 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
21:38:12:796 1908 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
21:38:12:796 1908 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_atapi.sys
21:38:12:953 1908 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
21:38:12:953 1908 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_atapi.sys, C:\WINDOWS\system32\drivers\atapi.sys) success
21:38:12:953 1908 will be cured on next reboot
21:38:13:109 1908
Completed

Results:
21:38:13:109 1908 Infected objects in memory: 2
21:38:13:125 1908 Cured objects in memory: 2
21:38:13:125 1908 Infected objects on disk: 1
21:38:13:125 1908 Objects on disk cured on reboot: 1
21:38:13:125 1908 Objects on disk deleted on reboot: 0
21:38:13:125 1908 Registry nodes deleted on reboot: 0
21:38:13:125 1908

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:55 AM

Posted 15 December 2009 - 08:24 AM

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


How is your computer behaving now?
Are you still being redirected?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 lilbrat0326

lilbrat0326
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 15 December 2009 - 01:17 PM

It seems that it stopped the redirecting. Thank you so much for your time and help! What do you recommend the best AntiVirus program is? What should I do with all these files I downloaded like TDSSKiller.exe? Can I delete them?

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:55 AM

Posted 15 December 2009 - 05:19 PM

Yes, you can just delete tddskiller.

Now we'll remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 lilbrat0326

lilbrat0326
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 16 December 2009 - 11:19 PM

I am in the process of doing all the above. Thank you for all your time and help!

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:55 AM

Posted 17 December 2009 - 08:50 AM

Glad I could help out! :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 lilbrat0326

lilbrat0326
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 17 December 2009 - 08:26 PM

After updating Windows, I am having trouble accessing websites like Yahoo Mail and any other kind of e-mail. Mozilla tells me that it crashed and asks me if I want to send a report. I can view the main page of my e-mail where it lists all the emails I have but when I try to view a specific e-mail it either crashes or does not load. What should I do? It's not just Yahoo mail, its also Facebook Inbox and things similar to that.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:55 AM

Posted 18 December 2009 - 08:34 AM

Firefox just updated to version 3.5.6
Do you have that version yet?

Check for any extensions or plugins that need to be updated to work property with the new version.

Follow the steps here.
http://support.mozilla.com/en-US/kb/Basic+troubleshooting
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 lilbrat0326

lilbrat0326
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 18 December 2009 - 01:05 PM

I kept getting a warning that said "unresponsive script". I couldn't see anything on any page and it kept freezing. It kept getting worse and worse to the point where I couldn't even use my internet so I had to uninstall a few things to see what was causing it. Turns out it was the sunbelt firewall! Thanks!

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:55 AM

Posted 18 December 2009 - 07:12 PM

Glad to see you got it sorted out! :(


Now that your malware issue appears to be resolved this topic will be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users