Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 lcostine

lcostine

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 14 December 2009 - 12:00 AM

Hello. I have the redirect virus and have tried multiple suggestions to try to fix it and it hasnt worked. I have downloaded the HostsXpert, CCleaner and the HijackThis. The virus has stopped opening multiple windows and doesnt occur all the time but is still redirecting every 2 or 3 searches. The Malwarebytes has not detected any infections the last 4 or more scans. Also the CCleaner didnt detect anything. Below is the log from the HijackThis. Please help me get rid of this virus. Thank you


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:16 PM, on 12/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner.lcostine\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4447 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:34 AM

Posted 14 December 2009 - 08:52 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lcostine

lcostine
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 15 December 2009 - 10:40 PM

Hello Sam! Thank you so much for taking the time to help! Here are the first two logs you asked for using the OTL:

OTL logfile created on: 12/15/2009 10:09:35 PM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Owner.lcostine\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.60 Mb Total Physical Memory | 516.17 Mb Available Physical Memory | 53.85% Memory free
2.26 Gb Paging File | 1.85 Gb Available in Paging File | 81.95% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.23 Gb Total Space | 51.48 Gb Free Space | 74.36% Space Free | Partition Type: NTFS
Drive D: | 5.28 Gb Total Space | 3.40 Gb Free Space | 64.50% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LCOSTINE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/15 22:08:31 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.lcostine\Desktop\OTL.exe
PRC - [2009/12/12 21:46:58 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/12 21:46:58 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/05/02 02:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2008/05/02 02:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/25 16:25:20 | 00,787,208 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
PRC - [2008/04/25 16:25:12 | 00,191,752 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/05 20:16:10 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2006/04/27 13:48:00 | 00,143,427 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/03/17 00:07:50 | 00,655,360 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\DriveIcon\DriveIcon.exe
PRC - [2005/10/07 15:52:52 | 00,737,370 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2003/02/23 13:13:50 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2003/02/23 13:13:48 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2003/02/23 13:13:29 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe


========== Modules (SafeList) ==========

MOD - [2009/12/15 22:08:31 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.lcostine\Desktop\OTL.exe
MOD - [2009/07/12 01:12:06 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2008/05/02 02:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/05/02 02:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006/11/05 20:16:10 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2006/10/23 07:50:35 | 00,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2006/04/27 13:48:00 | 00,143,427 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2004/10/15 15:54:14 | 00,100,016 | ---- | M] (America Online, Inc) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor)
SRV - [2003/07/28 15:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/02/23 13:13:29 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2003/02/06 01:00:54 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX3417
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX3417
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX3417
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX3417
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\S-1-5-21-3824287399-2130138240-3497500675-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (698 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr =
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-3824287399-2130138240-3497500675-1006\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 04:41:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/06/17 04:40:27 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (51794844573499392)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/15 22:08:26 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.lcostine\Desktop\OTL.exe
[2009/12/13 23:27:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.lcostine\Desktop\XDelBox
[2009/12/13 22:30:52 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/12/12 22:57:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.lcostine\Desktop\backups
[2009/12/12 22:50:23 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner.lcostine\Desktop\HijackThis.exe
[2009/12/12 21:44:37 | 00,000,000 | ---D | C] -- C:\HostsXpert
[2009/12/09 23:25:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/12/09 23:25:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.lcostine\Application Data\Sun
[2009/12/09 22:24:03 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Owner.lcostine\IECompatCache
[2009/12/09 18:29:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/12/09 16:18:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.lcostine\Local Settings\Application Data\Mozilla
[2009/12/09 08:14:21 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/09 08:14:14 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/12/09 08:14:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/09 08:11:47 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/11/17 23:03:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/01/09 14:40:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2007/01/01 22:54:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2006/12/30 15:28:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
[2006/12/30 15:26:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Bytemobile
[2006/12/24 17:21:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2006/11/05 20:16:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/06/17 04:45:24 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/02/23 13:12:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/15 22:08:31 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.lcostine\Desktop\OTL.exe
[2009/12/15 22:04:27 | 46,668,943 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/15 22:04:07 | 00,124,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/15 22:00:39 | 00,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/15 22:00:13 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/15 22:00:11 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/15 22:00:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/15 22:00:06 | 10,052,36224 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/14 00:24:54 | 02,883,584 | ---- | M] () -- C:\Documents and Settings\Owner.lcostine\NTUSER.DAT
[2009/12/14 00:24:54 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner.lcostine\ntuser.ini
[2009/12/14 00:24:48 | 06,387,624 | -H-- | M] () -- C:\Documents and Settings\Owner.lcostine\Local Settings\Application Data\IconCache.db
[2009/12/13 22:30:54 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner.lcostine\Desktop\CCleaner.lnk
[2009/12/12 22:30:47 | 00,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/12 22:30:47 | 00,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/12 22:30:47 | 00,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/10 13:24:58 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/09 08:12:15 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/09 08:06:03 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/09 08:03:18 | 00,000,197 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/12/08 22:03:04 | 00,030,720 | ---- | M] () -- C:\Documents and Settings\Owner.lcostine\My Documents\David King and Kennedy High.doc
[2009/12/08 18:07:46 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Owner.lcostine\Desktop\Microsoft Word.lnk
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/13 22:30:54 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Owner.lcostine\Desktop\CCleaner.lnk
[2009/12/09 08:15:23 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/09 08:12:15 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/09 08:03:18 | 00,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/12/08 18:18:22 | 00,030,720 | ---- | C] () -- C:\Documents and Settings\Owner.lcostine\My Documents\David King and Kennedy High.doc
[2006/12/30 23:58:22 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\Owner.lcostine\Local Settings\Application Data\fusioncache.dat
[2006/11/05 20:37:13 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/11/05 20:37:13 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/11/05 20:37:11 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/11/05 20:37:08 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/11/05 20:37:05 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/11/05 20:16:56 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
[2006/11/05 20:06:43 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/21 04:48:15 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/17 04:24:58 | 00,001,284 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/06/17 04:24:57 | 00,000,520 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/08/05 23:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/07 18:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2006/11/05 20:15:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2009/12/05 11:21:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2007/01/01 13:18:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cingular
[2009/12/12 22:33:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2006/11/05 20:12:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/12/21 22:57:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2009/12/09 08:15:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2003/02/18 19:02:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2006/11/05 20:15:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2006/11/05 20:15:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\levi 2\Application Data\SampleView
[2006/12/30 15:26:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Bytemobile
[2006/11/05 20:15:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mom\Application Data\SampleView
[2006/12/30 15:28:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
[2006/12/30 15:29:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.lcostine\Application Data\Cingular
[2003/01/29 17:17:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.lcostine\Application Data\GARMIN
[2006/11/05 20:15:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.lcostine\Application Data\SampleView
[2007/01/01 13:28:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.lcostine\Application Data\Smith Micro
[2006/12/21 22:57:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.lcostine\Application Data\WildTangent
[2006/12/21 22:54:47 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
[2006/12/21 22:54:48 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 3.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 08:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2009/12/09 10:46:42 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/09 10:46:42 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 14:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll
[2004/08/10 14:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 14:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

and the second report from otl:

OTL Extras logfile created on: 12/15/2009 10:09:35 PM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Owner.lcostine\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.60 Mb Total Physical Memory | 516.17 Mb Available Physical Memory | 53.85% Memory free
2.26 Gb Paging File | 1.85 Gb Available in Paging File | 81.95% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.23 Gb Total Space | 51.48 Gb Free Space | 74.36% Space Free | Partition Type: NTFS
Drive D: | 5.28 Gb Total Space | 3.40 Gb Free Space | 64.50% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LCOSTINE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- (America Online, Inc)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- (America Online Inc)
"C:\Program Files\Common Files\AOL\1162775544\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1162775544\EE\AOLServiceHost.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- (America Online Inc.)
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- File not found
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Disabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Disabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8696ED8F-F797-40F0-A52A-CF6552E338E1}" = Mobile Broadband Drivers
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A7DEBAA4-B211-4D1A-A6B3-E52BFAAA1D0C}" = Garmin Communicator Plugin
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EE7B9A8D-19F0-450D-8E94-3E391E6044CD}" = KhalSetup
"{F1BA3CD5-89DC-4273-8603-A75F33E9B335}" = Nokia Connectivity Adapter Cable DKU-5
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AVG9Uninstall" = AVG Free 9.0
"CCleaner" = CCleaner
"Gateway Game Console" = Gateway Game Console
"gtw_logo" = gtw_logo
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LiveReg" = LiveReg (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2006b" = Microsoft Money 2006
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"Port Magic" = Pure Networks Port Magic
"RealPlayer 6.0" = RealPlayer Basic
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WT010646" = Bejeweled 2 Deluxe
"WT010647" = Blackhawk Striker 2
"WT010648" = Blasterball 2 Revolution
"WT010650" = FATE
"WT010651" = Penguins!
"WT010654" = SCRABBLE
"WT010655" = Tradewinds
"WT010660" = Polar Bowler
"WT010661" = Polar Golfer

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3824287399-2130138240-3497500675-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CSec" = Cyber Security

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/15/2003 12:36:27 PM | Computer Name = LCOSTINE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2/15/2003 12:36:27 PM | Computer Name = LCOSTINE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2/15/2003 12:36:28 PM | Computer Name = LCOSTINE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2/18/2003 12:27:52 PM | Computer Name = LCOSTINE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16850, faulting
module flash9f.ocx, version 9.0.124.0, fault address 0x0008dcfc.

Error - 2/18/2003 12:28:02 PM | Computer Name = LCOSTINE | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 2/18/2003 12:30:01 PM | Computer Name = LCOSTINE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16850, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/22/2003 2:26:55 PM | Computer Name = LCOSTINE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16850, faulting
module msvcr71.dll, version 7.10.3052.4, fault address 0x000017fb.

Error - 2/22/2003 2:27:04 PM | Computer Name = LCOSTINE | Source = Application Error | ID = 1001
Description = Fault bucket 1312269375.

Error - 2/22/2003 2:30:16 PM | Computer Name = LCOSTINE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16850, faulting
module msvcr71.dll, version 7.10.3052.4, fault address 0x000017fb.

Error - 11/27/2009 12:22:49 PM | Computer Name = LCOSTINE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

[ System Events ]
Error - 12/13/2009 12:02:53 AM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/13/2009 12:02:53 AM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/13/2009 11:11:23 PM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/13/2009 11:11:23 PM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/13/2009 11:43:03 PM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/13/2009 11:43:03 PM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/14/2009 12:18:13 AM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/14/2009 12:18:13 AM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/15/2009 11:00:22 PM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/15/2009 11:00:22 PM | Computer Name = LCOSTINE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >

The GMER Scan is still working but I will post it as soon as it is complete. Thank you again! Sorry for taking a while to get back to you

#4 lcostine

lcostine
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 15 December 2009 - 11:00 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-15 22:58:18
Windows 5.1.2600 Service Pack 3
Running: 6129ihz0.exe; Driver: C:\DOCUME~1\OWNER~1.LCO\LOCALS~1\Temp\fxlyapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74737A4]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5B2E360, 0x2217AD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[1072] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00A1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3572] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2944] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8630B369

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:34 AM

Posted 16 December 2009 - 09:21 AM

We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 lcostine

lcostine
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 16 December 2009 - 10:22 AM

Hey Sam, just wanted to let you know that I am at work right now and that i will run the TDSSkiller when i get home tonight. Thanks again for all the help! :(

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:34 AM

Posted 16 December 2009 - 10:27 AM

Sounds good!
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 lcostine

lcostine
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 16 December 2009 - 09:42 PM

Hello Sam! Ok, when I first ran the scan it noted it did detect 1 infected file, etc. on the end results. Once the computer restarted, I went to find the .txt file in the c drive and it wasnt there. So I ran the scan again and it came up with different end results but did produce a .txt file. Here it is....


Host Name: LCOSTINE
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner:
Registered Organization:
Product ID: 76487-OEM-0011903-00806
Original Install Date: 12/21/2006, 10:54:55 PM
System Up Time: 0 Days, 0 Hours, 12 Minutes, 26 Seconds
System Manufacturer: GATEWAY
System Model: MX3417
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 76 Stepping 2 AuthenticAMD ~2004 Mhz
BIOS Version: PTLTD - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 959 MB
Available Physical Memory: 507 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: MSHOME
Logon Server: \\LCOSTINE
Hotfix(s): 183 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: Q147222
[80]: KB887998 - QFE
[81]: KB930494 - QFE
[82]: KB953295 - QFE
[83]: SP3 - SP
[84]: M953297 - Update
[85]: S867460 - Update
[86]: KB900325 - Update
[87]: Q927978
[88]: Q936181
[89]: Q954430
[90]: Q973688
[91]: KB898458 - Update
[92]: IDNMitigationAPIs - Update
[93]: NLSDownlevelMapping - Update
[94]: KB952069_WM9
[95]: KB954155_WM9
[96]: KB968816_WM9
[97]: KB973540_WM9L
[98]: KB911565
[99]: KB913800
[100]: KB917734_WMP10
[101]: KB926251
[102]: KB936782_WMP10
[103]: KB925398_WMP64
[104]: KB923689
[105]: KB941569
[106]: KB938127-IE7 - Update
[107]: KB942615-IE7 - Update
[108]: KB944533-IE7 - Update
[109]: KB950759-IE7 - Update
[110]: KB969897-IE7 - Update
[111]: KB971961-IE8 - Update
[112]: KB974455-IE7 - Update
[113]: KB974455-IE8 - Update
[114]: KB975364-IE8 - Update
[115]: KB976325-IE8 - Update
[116]: KB976749-IE8 - Update
[117]: KB936929 - Service Pack
[118]: KB923561 - Update
[119]: KB938464-v2 - Update
[120]: KB946648 - Update
[121]: KB950760 - Update
[122]: KB950762 - Update
[123]: KB950974 - Update
[124]: KB951066 - Update
[125]: KB951376 - Update
[126]: KB951376-v2 - Update
[127]: KB951698 - Update
[128]: KB951748 - Update
[129]: KB951978 - Update
[130]: KB952004 - Update
[131]: KB952287 - Update
[132]: KB952954 - Update
[133]: KB953356 - Update
[134]: KB954459 - Update
[135]: KB954550-v5 - Update
[136]: KB954600 - Update
[137]: KB955069 - Update
[138]: KB955839 - Update
[139]: KB956572 - Update
[140]: KB956744 - Update
[141]: KB956802 - Update
[142]: KB956803 - Update
[143]: KB956844 - Update
[144]: KB957097 - Update
[145]: KB958644 - Update
[146]: KB958687 - Update
[147]: KB958869 - Update
[148]: KB959426 - Update
[149]: KB960225 - Update
[150]: KB960803 - Update
[151]: KB960859 - Update
[152]: KB961118 - Update
[153]: KB961371 - Update
[154]: KB961501 - Update
[155]: KB967715 - Update
[156]: KB968389 - Update
[157]: KB968537 - Update
[158]: KB969059 - Update
[159]: KB969947 - Update
[160]: KB970238 - Update
[161]: KB970430 - Update
[162]: KB970653-v3 - Update
[163]: KB971486 - Update
[164]: KB971557 - Update
[165]: KB971633 - Update
[166]: KB971657 - Update
[167]: KB971737 - Update
[168]: KB971961 - Update
[169]: KB973346 - Update
[170]: KB973354 - Update
[171]: KB973507 - Update
[172]: KB973525 - Update
[173]: KB973687 - Update
[174]: KB973815 - Update
[175]: KB973869 - Update
[176]: KB973904 - Update
[177]: KB974112 - Update
[178]: KB974318 - Update
[179]: KB974392 - Update
[180]: KB974571 - Update
[181]: KB975025 - Update
[182]: KB975467 - Update
[183]: KB976098-v2 - Update
NetWork Card(s): 2 NIC(s) Installed.
[01]: Realtek RTL8185 54M Wireless LAN Network Adapter
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.8
[02]: NVIDIA nForce Networking Controller
Connection Name: Local Area Connection
Status: Media disconnected
21:20:58:703 3804 ForceUnloadDriver: NtUnloadDriver error 2
21:20:58:703 3804 ForceUnloadDriver: NtUnloadDriver error 2
21:20:58:703 3804 ForceUnloadDriver: NtUnloadDriver error 2
21:20:58:703 3804 main: Driver KLMD successfully dropped
21:20:58:750 3804 main: Driver KLMD successfully loaded
21:20:58:750 3804
Scanning Registry ...
21:20:58:781 3804 ScanServices: Searching service UACd.sys
21:20:58:781 3804 ScanServices: Open/Create key error 2
21:20:58:781 3804 ScanServices: Searching service TDSSserv.sys
21:20:58:781 3804 ScanServices: Open/Create key error 2
21:20:58:781 3804 ScanServices: Searching service gaopdxserv.sys
21:20:58:781 3804 ScanServices: Open/Create key error 2
21:20:58:781 3804 ScanServices: Searching service gxvxcserv.sys
21:20:58:781 3804 ScanServices: Open/Create key error 2
21:20:58:781 3804 ScanServices: Searching service MSIVXserv.sys
21:20:58:781 3804 ScanServices: Open/Create key error 2
21:20:58:781 3804 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
21:20:58:781 3804 UnhookRegistry: Kernel local addr: A40000
21:20:58:781 3804 UnhookRegistry: KeServiceDescriptorTable addr: ABC020
21:20:58:781 3804 UnhookRegistry: KiServiceTable addr: A6AB9C
21:20:58:781 3804 UnhookRegistry: NtEnumerateKey service number (local): 47
21:20:58:781 3804 UnhookRegistry: NtEnumerateKey local addr: B83B72
21:20:58:781 3804 KLMD_OpenDevice: Trying to open KLMD device
21:20:58:781 3804 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
21:20:58:781 3804 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
21:20:58:781 3804 KLMD_ReadMem: Trying to ReadMemory 0x804FE335[0x4]
21:20:58:781 3804 UnhookRegistry: NtEnumerateKey service number (kernel): 47
21:20:58:781 3804 KLMD_ReadMem: Trying to ReadMemory 0x80501CB8[0x4]
21:20:58:781 3804 UnhookRegistry: NtEnumerateKey real addr: 8061AB72
21:20:58:781 3804 UnhookRegistry: NtEnumerateKey calc addr: 8061AB72
21:20:58:781 3804 UnhookRegistry: No SDT hooks found on NtEnumerateKey
21:20:58:781 3804 KLMD_ReadMem: Trying to ReadMemory 0x8061AB72[0xA]
21:20:58:781 3804 UnhookRegistry: No splicing found on NtEnumerateKey
21:20:58:781 3804
Scanning Kernel memory ...
21:20:58:781 3804 KLMD_OpenDevice: Trying to open KLMD device
21:20:58:781 3804 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
21:20:58:781 3804 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
21:20:58:781 3804 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 863E8980
21:20:58:781 3804 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
21:20:58:781 3804 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8636BC68
21:20:58:781 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8636BC68
21:20:58:781 3804 KLMD_ReadMem: Trying to ReadMemory 0x8636BC68[0x38]
21:20:58:781 3804 DetectCureTDL3: DRIVER_OBJECT addr: 863E8980
21:20:58:781 3804 KLMD_ReadMem: Trying to ReadMemory 0x863E8980[0xA8]
21:20:58:781 3804 KLMD_ReadMem: Trying to ReadMemory 0xE1018DA8[0x208]
21:20:58:781 3804 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:20:58:781 3804 DetectCureTDL3: IrpHandler (0) addr: F7716BB0
21:20:58:781 3804 DetectCureTDL3: IrpHandler (1) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (2) addr: F7716BB0
21:20:58:781 3804 DetectCureTDL3: IrpHandler (3) addr: F7710D1F
21:20:58:781 3804 DetectCureTDL3: IrpHandler (4) addr: F7710D1F
21:20:58:781 3804 DetectCureTDL3: IrpHandler (5) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (6) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (7) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (8) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (9) addr: F77112E2
21:20:58:781 3804 DetectCureTDL3: IrpHandler (10) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (11) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (12) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (13) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (14) addr: F77113BB
21:20:58:781 3804 DetectCureTDL3: IrpHandler (15) addr: F7714F28
21:20:58:781 3804 DetectCureTDL3: IrpHandler (16) addr: F77112E2
21:20:58:781 3804 DetectCureTDL3: IrpHandler (17) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (18) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (19) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (20) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (21) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (22) addr: F7712C82
21:20:58:781 3804 DetectCureTDL3: IrpHandler (23) addr: F771799E
21:20:58:781 3804 DetectCureTDL3: IrpHandler (24) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (25) addr: 804F355A
21:20:58:781 3804 DetectCureTDL3: IrpHandler (26) addr: 804F355A
21:20:58:781 3804 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
21:20:58:781 3804 KLMD_ReadMem: DeviceIoControl error 1
21:20:58:781 3804 TDL3_StartIoHookDetect: Unable to get StartIo handler code
21:20:58:781 3804 TDL3_FileDetect: Processing driver: Disk
21:20:58:781 3804 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
21:20:58:781 3804 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
21:20:58:781 3804 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
21:20:58:796 3804 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86388C68
21:20:58:796 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86388C68
21:20:58:796 3804 KLMD_ReadMem: Trying to ReadMemory 0x86388C68[0x38]
21:20:58:796 3804 DetectCureTDL3: DRIVER_OBJECT addr: 863E8980
21:20:58:796 3804 KLMD_ReadMem: Trying to ReadMemory 0x863E8980[0xA8]
21:20:58:796 3804 KLMD_ReadMem: Trying to ReadMemory 0xE1018DA8[0x208]
21:20:58:796 3804 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:20:58:796 3804 DetectCureTDL3: IrpHandler (0) addr: F7716BB0
21:20:58:796 3804 DetectCureTDL3: IrpHandler (1) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (2) addr: F7716BB0
21:20:58:796 3804 DetectCureTDL3: IrpHandler (3) addr: F7710D1F
21:20:58:796 3804 DetectCureTDL3: IrpHandler (4) addr: F7710D1F
21:20:58:796 3804 DetectCureTDL3: IrpHandler (5) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (6) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (7) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (8) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (9) addr: F77112E2
21:20:58:796 3804 DetectCureTDL3: IrpHandler (10) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (11) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (12) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (13) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (14) addr: F77113BB
21:20:58:796 3804 DetectCureTDL3: IrpHandler (15) addr: F7714F28
21:20:58:796 3804 DetectCureTDL3: IrpHandler (16) addr: F77112E2
21:20:58:796 3804 DetectCureTDL3: IrpHandler (17) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (18) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (19) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (20) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (21) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (22) addr: F7712C82
21:20:58:796 3804 DetectCureTDL3: IrpHandler (23) addr: F771799E
21:20:58:796 3804 DetectCureTDL3: IrpHandler (24) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (25) addr: 804F355A
21:20:58:796 3804 DetectCureTDL3: IrpHandler (26) addr: 804F355A
21:20:58:796 3804 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
21:20:58:796 3804 KLMD_ReadMem: DeviceIoControl error 1
21:20:58:796 3804 TDL3_StartIoHookDetect: Unable to get StartIo handler code
21:20:58:796 3804 TDL3_FileDetect: Processing driver: Disk
21:20:58:796 3804 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
21:20:58:796 3804 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
21:20:58:796 3804 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
21:20:58:812 3804 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8637FAB8
21:20:58:812 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8637FAB8
21:20:58:812 3804 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 863559E8
21:20:58:812 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 863559E8
21:20:58:812 3804 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8636C940
21:20:58:812 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8636C940
21:20:58:812 3804 KLMD_ReadMem: Trying to ReadMemory 0x8636C940[0x38]
21:20:58:812 3804 DetectCureTDL3: DRIVER_OBJECT addr: 8638D3D8
21:20:58:812 3804 KLMD_ReadMem: Trying to ReadMemory 0x8638D3D8[0xA8]
21:20:58:812 3804 KLMD_ReadMem: Trying to ReadMemory 0xE1008F68[0x208]
21:20:58:812 3804 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
21:20:58:812 3804 DetectCureTDL3: IrpHandler (0) addr: F74676F2
21:20:58:812 3804 DetectCureTDL3: IrpHandler (1) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (2) addr: F74676F2
21:20:58:812 3804 DetectCureTDL3: IrpHandler (3) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (4) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (5) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (6) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (7) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (8) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (9) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (10) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (11) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (12) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (13) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (14) addr: F7467712
21:20:58:812 3804 DetectCureTDL3: IrpHandler (15) addr: F7463852
21:20:58:812 3804 DetectCureTDL3: IrpHandler (16) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (17) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (18) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (19) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (20) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (21) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (22) addr: F746773C
21:20:58:812 3804 DetectCureTDL3: IrpHandler (23) addr: F746E336
21:20:58:812 3804 DetectCureTDL3: IrpHandler (24) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (25) addr: 804F355A
21:20:58:812 3804 DetectCureTDL3: IrpHandler (26) addr: 804F355A
21:20:58:812 3804 KLMD_ReadMem: Trying to ReadMemory 0xF7464864[0x400]
21:20:58:812 3804 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
21:20:58:812 3804 TDL3_FileDetect: Processing driver: atapi
21:20:58:812 3804 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\tsk_atapi.sys, C:\WINDOWS\system32\Drivers\tsk_tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_tsk_atapi.sys
21:20:58:812 3804 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk_atapi.sys
21:20:58:812 3804 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk_atapi.sys
21:20:58:843 3804
Completed

Results:
21:20:58:843 3804 Infected objects in memory: 0
21:20:58:843 3804 Cured objects in memory: 0
21:20:58:843 3804 Infected objects on disk: 0
21:20:58:843 3804 Objects on disk cured on reboot: 0
21:20:58:843 3804 Objects on disk deleted on reboot: 0
21:20:58:843 3804 Registry nodes deleted on reboot: 0
21:20:58:843 3804


This very last part where it says results, the first scan had a number 1 in all the zero spots and the second scan now has zero. Again, thank you for helping me.

#9 lcostine

lcostine
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 16 December 2009 - 10:25 PM

Sam! I just wanted to let you know that google is not redirecting anymore! I have closed the browser, reopened it and tried multiple searches and even restarted the computer to see if the redirecting reoccuried and it is no longer hapenning. Thank you so much for helping me!

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:34 AM

Posted 17 December 2009 - 08:54 AM

Excellent! :(


Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

================


Now we'll remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:34 AM

Posted 26 December 2009 - 08:16 PM

Now that your problem appears to be resolved, this topic will be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users