Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Defender and Google Redirect Virus?


  • Please log in to reply
20 replies to this topic

#1 AndyAndy

AndyAndy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 14 December 2009 - 01:21 AM

Hi...

I recently encountered a malware in which whenever I use google, i'm taken to www.google.nl...and when I try to click the links from my searches, i'm redirected to undesired sites with advertisements --no matter what I click on. Furthermore, I have noticed that "System Defender" has been installed onto my computer. I've tried running malaware bytes a couple times and it series of spywares were detected. I was able to successfully remove them, only to find that my problems still exist...including the presence of "System Defender". I've tried rebooting in safe mode --only to end up with the dreaded blue screen. Then I tried a system restore...--only to find out that it can't be restored. I had initially posted in the "Am I infected what do I do" forum and then was instructed to post here along with my system's scans. I hope this isn't too troublesome, and I hope I can receive some help with this. Thank you in advance!



DDS (Ver_09-12-01.01) - NTFSx86
Run by Andy Nguyen at 22:02:40.27 on Sun 12/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.215 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: System Defender *On-access scanning enabled* (Updated) {17BA4422-7F7C-41BF-A666-CB9C186CB26C}
FW: System Defender *enabled* {A9DF74EE-92AC-446F-8C8B-9802210C2717}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
svchost.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\ANDYNG~1\LOCALS~1\Temp\clclean.0001
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andy Nguyen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\andy nguyen\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [COM+ Manager] "c:\documents and settings\andy nguyen\.commgr\complmgr.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [DeadAIM] rundll32.exe "c:\progra~1\aim\\DeadAIM.ocm",ExportedCheckODLs
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl05c\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147674304390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
IFEO: AlphaAV - svchost.exe
IFEO: AlphaAV.exe - svchost.exe
IFEO: Anti-Virus Professional.exe - svchost.exe
IFEO: AntispywarXP2009.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andyng~1\applic~1\mozilla\firefox\profiles\eantkkfp.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\k-wbmWctS7-n-g.dll
FF - plugin: c:\documents and settings\andy nguyen\application data\mozilla\firefox\profiles\eantkkfp.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\andy nguyen\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\andy nguyen\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-28 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-5 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-5 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-12 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-5 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S2 SSDPSRVAlerter;SSDP Discovery Service SSDPSRVAlerter;c:\windows\system32\6to4svcy.exe srv --> c:\windows\system32\6to4svcy.exe srv [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-28 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-28 1095560]

=============== Created Last 30 ================

2009-12-13 08:03:08 0 d-sh--w- c:\docume~1\andyng~1\applic~1\SystemProc
2009-12-10 04:30:07 10 ----a-w- C:\confin.sys
2009-12-10 04:28:52 0 d-sh--w- c:\docume~1\andyng~1\applic~1\System
2009-12-10 04:28:51 0 d-----w- c:\docume~1\andyng~1\applic~1\Mozilla Firefox
2009-12-10 04:25:18 117272 ----a-w- c:\windows\system32\0ZuN5w8pzMtACwf.exe
2009-12-10 04:23:32 0 d-sh--w- c:\documents and settings\andy nguyen\.COMMgr
2009-12-10 04:21:22 0 d-sh--w- c:\docume~1\andyng~1\applic~1\System Defender
2009-12-10 04:21:18 0 d-sh--w- c:\docume~1\alluse~1\applic~1\WSFHMKGWXED_APDM
2009-12-10 04:19:49 0 d-sh--w- c:\docume~1\alluse~1\applic~1\1b12879
2009-12-10 04:10:41 381 --s-a-w- c:\windows\system32\3188475982.dat
2009-12-04 03:35:57 256 ----a-w- c:\documents and settings\andy nguyen\pool.bin
2009-12-04 03:22:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion

==================== Find3M ====================

2009-12-08 07:12:57 71530 ----a-w- c:\windows\War3Unin.dat
2009-12-04 00:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 13:13:33 69128 ----a-w- c:\docume~1\andyng~1\applic~1\GDIPFONTCACHEV1.DAT
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2006-05-14 21:26:05 5115704 ----a-w- c:\program files\Firefox Setup 1.5.0.3.exe
2007-04-14 03:15:26 88 --sh--r- c:\windows\system32\E5647CD50D.sys
2007-04-14 03:15:32 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-04-27 05:15:39 383 --sh--w- c:\windows\system32\nobalulo.exe
2009-02-26 05:51:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022520090226\index.dat

============= FINISH: 22:05:19.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:32 PM

Posted 14 December 2009 - 08:47 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 AndyAndy

AndyAndy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 14 December 2009 - 04:17 PM

Hi Sam,

thanks for your help...-i tried downloading from the 3 links and was led to http://download.bleepingcomputer.com/sUBs/ComboFix.html in which it said CombFix is not available at this time...

on the 2nd link, i was able to download a file however, after attempting to run the file, a Notepad msg came up stating "ComboFix is Offline.
Please visit [url="http://download.bleepingcomputer.com/sUBs/ComboFix.html""]http://download.bleepingcomputer.com/sUBs/...oFix.html"[/url]

So i suppose i have to wait until it is fixed, correct?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:32 PM

Posted 14 December 2009 - 08:58 PM

While Combofix is unavailable we'll go a different route.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


=====================



We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the "Run Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 AndyAndy

AndyAndy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 15 December 2009 - 12:40 AM

Hello Sam,

here are the two logs you requested..


Malwarebytes' Anti-Malware 1.42
Database version: 3362
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/14/2009 9:05:47 PM
mbam-log-2009-12-14 (21-05-47).txt

Scan type: Quick Scan
Objects scanned: 121039
Time elapsed: 13 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\0zun5w8pzmtacwf (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Securitysoldier.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows Police Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Andy Nguyen\Application Data\System Defender (Rogue.SystemDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\0ZuN5w8pzMtACwf.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Local Settings\Temp\wnaxomsrce.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Local Settings\Temp\Setup.tmp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Local Settings\Temporary Internet Files\Content.IE5\TPLEBJ2T\update9302[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Application Data\System Defender\cookies.sqlite (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Application Data\System Defender\Instructions.ini (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Desktop\System Defender.lnk (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Application Data\Microsoft\Internet Explorer\Quick Launch\System Defender.lnk (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Start Menu\System Defender.lnk (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy Nguyen\Start Menu\Programs\System Defender.lnk (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\confin.sys (Malware.Trace) -> Quarantined and deleted successfully.



-----------------------

OTL logfile created on: 12/14/2009 9:19:33 PM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Andy Nguyen\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.37 Mb Total Physical Memory | 359.42 Mb Available Physical Memory | 35.43% Memory free
2.38 Gb Paging File | 1.73 Gb Available in Paging File | 72.40% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.80 Gb Total Space | 12.34 Gb Free Space | 24.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DHWTJY91
Current User Name: Andy Nguyen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/14 21:08:04 | 00,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\Andy Nguyen\Local Settings\Temp\clclean.0001
PRC - [2009/12/14 19:36:38 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
PRC - [2009/12/12 17:00:00 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2009/12/12 15:53:12 | 02,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/08 03:39:24 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/13 22:57:34 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/09/13 22:57:24 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/09/13 22:56:59 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/08/31 11:25:16 | 00,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2008/10/24 09:14:36 | 00,206,112 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2008/07/08 16:41:02 | 02,828,184 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\RegMech.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/15 13:11:04 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/11/15 13:10:54 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/03/15 17:16:42 | 00,454,784 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.) -- C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
PRC - [2006/05/04 11:40:57 | 00,069,632 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2006/03/10 09:45:12 | 00,035,328 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2006/03/08 01:48:02 | 00,761,947 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/01/09 08:33:24 | 00,417,792 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/01/02 06:13:52 | 01,126,400 | ---- | M] (Andrea Electronics Corporation) -- C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
PRC - [2005/12/19 12:08:42 | 01,347,584 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2005/12/19 12:08:42 | 00,018,944 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2005/12/19 12:08:40 | 01,200,128 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2005/12/15 07:44:52 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
PRC - [2005/12/13 06:45:00 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/12/13 06:41:08 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/12/13 06:41:00 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2005/11/11 18:30:22 | 00,995,328 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2005/10/31 07:51:52 | 00,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2005/10/05 00:12:00 | 00,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/09/08 02:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/04/13 02:48:52 | 00,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
PRC - [2004/12/02 15:23:34 | 00,102,400 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
PRC - [2004/04/07 09:07:32 | 01,135,728 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2003/10/28 23:06:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/08/01 07:31:06 | 00,061,440 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [1999/12/12 14:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE


========== Modules (SafeList) ==========

MOD - [2009/12/14 19:36:38 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
MOD - [2005/12/13 06:39:58 | 00,073,728 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hccutils.dll
MOD - [2003/08/01 07:25:02 | 00,006,144 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\idlemon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SSDPSRVAlerter)
SRV - [2009/09/13 22:56:59 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/07/08 12:31:36 | 00,313,840 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2009/07/08 12:31:32 | 00,170,480 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2009/07/08 12:31:12 | 01,108,464 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2009/01/21 12:08:06 | 01,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 11:40:56 | 00,348,752 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2007/12/06 23:20:56 | 00,088,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2007/12/06 23:20:52 | 00,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2007/11/15 13:10:54 | 00,504,104 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/05/04 11:40:57 | 00,069,632 | ---- | M] (Creative Labs) [Auto | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2005/12/19 12:08:42 | 00,018,944 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2005/12/15 07:44:52 | 00,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/04/07 09:07:32 | 01,135,728 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [1999/12/12 14:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)


========== Driver Services (SafeList) ==========

DRV - [2009/10/12 01:49:01 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/09/20 23:22:20 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/13 22:57:33 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/09/13 22:57:33 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/04/03 10:18:26 | 00,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/03/23 13:07:28 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/03/23 13:07:26 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/01/09 16:18:02 | 00,027,136 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2008/05/20 18:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RimUsb.sys -- (RimUsb)
DRV - [2008/04/13 10:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 10:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/31 14:09:14 | 00,030,464 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2007/05/01 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/03/22 11:57:14 | 00,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 11:57:14 | 00,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/05/04 11:46:37 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/03/08 01:35:10 | 00,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/01/09 08:39:56 | 01,099,304 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/04 04:41:48 | 01,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2005/12/13 07:09:34 | 01,364,574 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/12/01 04:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 04:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 04:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/11/02 16:24:34 | 00,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/10/05 01:57:08 | 00,012,544 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/09/12 00:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 02:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 02:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 02:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 02:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 02:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 02:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 02:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 09:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 09:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 13:50:46 | 00,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/12 02:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/08/05 00:32:16 | 00,045,312 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/07/14 07:58:14 | 00,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/07/14 06:28:38 | 00,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/07/12 08:00:30 | 00,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/05/25 06:34:00 | 00,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN)
DRV - [2005/01/10 07:15:00 | 00,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/01/10 07:15:00 | 00,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2004/10/15 13:50:20 | 00,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2004/09/29 03:24:38 | 00,051,712 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
DRV - [2004/08/10 02:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/10 02:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2004/08/03 19:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/01/10 04:28:18 | 00,011,648 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2003/01/10 13:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 11:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 11:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 11:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 11:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 11:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 10:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 10:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 10:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 10:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 10:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 10:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 10:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 10:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 10:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 10:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 09:12:10 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005\S-1-5-21-4280872176-1379788547-4133381378-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\S-1-5-21-4280872176-1379788547-4133381378-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.424
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {8CE11043-9A15-4207-A565-0C94C42D590D}:1.0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/11/02 12:54:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/09 20:25:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/08 03:39:37 | 00,000,000 | ---D | M]

[2009/03/01 02:39:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla\Extensions
[2009/12/13 21:58:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\extensions
[2009/05/17 23:31:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\extensions\moveplayer@movenetworks.com
[2009/12/13 21:58:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/13 00:03:07 | 00,000,000 | ---D | M] (Internal security) -- C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
[2009/11/19 03:58:20 | 01,253,376 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\k-wbmWctS7-n-g.dll
[2009/12/09 21:07:23 | 00,001,210 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\search.xml

O1 HOSTS File: (7639 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.245.21 www.google-analytics.com
O1 - Hosts: 89.248.168.186 google.ae
O1 - Hosts: 89.248.168.186 google.as
O1 - Hosts: 89.248.168.186 google.at
O1 - Hosts: 89.248.168.186 google.az
O1 - Hosts: 89.248.168.186 google.ba
O1 - Hosts: 89.248.168.186 google.be
O1 - Hosts: 89.248.168.186 google.bg
O1 - Hosts: 89.248.168.186 google.bs
O1 - Hosts: 203 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MBMon] C:\WINDOWS\System32\CTMBHA.DLL ()
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [VoiceCenter] C:\Program Files\Creative\VoiceCenter\AndreaVC.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKU\S-1-5-19..\Run: [neyelafuvu] C:\WINDOWS\System32\bamutazi.DLL File not found
O4 - HKU\S-1-5-20..\Run: [neyelafuvu] C:\WINDOWS\System32\bamutazi.DLL File not found
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl File not found
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [Google Update] C:\Documents and Settings\Andy Nguyen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKLM\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1147674304390 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O27 - HKLM IFEO\brastk.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\install.exe: Debugger - svchost.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 01:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{3957ae0e-36a7-11dd-a0c4-00038a000015}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/16 01:22:48 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53202219457052672)

========== Files/Folders - Created Within 30 Days ==========

[2009/12/14 19:36:37 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
[2009/12/14 19:35:30 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/14 19:35:28 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/14 19:35:28 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/14 19:32:36 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy Nguyen\Desktop\mbam-setup(2).exe
[2009/12/13 00:03:08 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\SystemProc
[2009/12/12 15:54:54 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Andy Nguyen\Desktop\RootRepeal.exe
[2009/12/09 20:28:52 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\System
[2009/12/09 20:28:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla Firefox
[2009/12/09 20:23:32 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andy Nguyen\.COMMgr
[2009/12/09 20:21:18 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\WSFHMKGWXED_APDM
[2009/12/09 20:19:49 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\1b12879
[2009/12/03 22:54:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2009/12/03 22:54:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\Roxio
[2009/12/03 19:22:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/10/12 01:35:18 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/10/12 01:35:18 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/10/12 01:35:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/10/12 01:35:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/05/14 13:25:38 | 05,115,704 | ---- | C] (Mozilla) -- C:\Program Files\Firefox Setup 1.5.0.3.exe
[39 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\Documents and Settings\Andy Nguyen\Desktop\*.tmp files -> C:\Documents and Settings\Andy Nguyen\Desktop\*.tmp -> ]
[14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Andy Nguyen\My Documents\*.tmp files -> C:\Documents and Settings\Andy Nguyen\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/14 21:08:25 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/12/14 21:07:48 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/14 21:07:44 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/14 21:07:43 | 10,637,14816 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/14 21:06:58 | 04,456,448 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\ntuser.dat
[2009/12/14 21:06:32 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Andy Nguyen\ntuser.ini
[2009/12/14 19:38:05 | 00,001,002 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4280872176-1379788547-4133381378-1005UA.job
[2009/12/14 19:36:38 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
[2009/12/14 19:35:33 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 19:33:01 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy Nguyen\Desktop\mbam-setup(2).exe
[2009/12/14 13:47:23 | 00,115,200 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\microbiooxtra.doc
[2009/12/14 13:12:55 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix(2).exe
[2009/12/14 12:52:04 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix.exe
[2009/12/14 12:51:08 | 46,607,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/14 12:51:08 | 00,123,841 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/13 22:02:13 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\dds.scr
[2009/12/13 20:38:01 | 00,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4280872176-1379788547-4133381378-1005Core.job
[2009/12/12 18:00:03 | 00,000,310 | ---- | M] () -- C:\WINDOWS\tasks\SysSchedule.job
[2009/12/12 16:06:01 | 00,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2009/12/12 15:57:43 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\settings.dat
[2009/12/12 15:54:55 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Andy Nguyen\Desktop\RootRepeal.exe
[2009/12/10 10:16:30 | 00,525,462 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/10 10:16:30 | 00,443,910 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/10 10:16:30 | 00,072,652 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/10 09:43:15 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/10 09:36:50 | 00,000,381 | --S- | M] () -- C:\WINDOWS\System32\3188475982.dat
[2009/12/09 21:06:38 | 00,007,639 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/09 20:44:23 | 00,006,811 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.new
[2009/12/07 23:12:57 | 00,071,530 | ---- | M] () -- C:\WINDOWS\War3Unin.dat
[2009/12/07 23:09:32 | 00,035,840 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Study Guide Immune System.doc
[2009/12/07 15:50:07 | 02,470,035 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-07).ipd
[2009/12/07 15:47:39 | 02,479,463 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\LoaderBackup-(2009-12-07).ipd
[2009/12/07 14:02:19 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/03 22:44:49 | 00,263,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/03 21:10:09 | 02,140,492 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-03).ipd
[2009/12/03 19:38:46 | 01,568,834 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BlackberryBackup-(2009-12-03).ipd
[2009/12/03 19:35:57 | 00,000,256 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\pool.bin
[2009/12/03 19:22:51 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/30 15:55:52 | 00,023,040 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Addendum.doc
[2009/11/30 15:17:52 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\AndyPersonalState.doc
[2009/11/25 20:16:21 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/11/25 20:16:21 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[39 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\Documents and Settings\Andy Nguyen\Desktop\*.tmp files -> C:\Documents and Settings\Andy Nguyen\Desktop\*.tmp -> ]
[14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Andy Nguyen\My Documents\*.tmp files -> C:\Documents and Settings\Andy Nguyen\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/14 19:35:33 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 13:47:23 | 00,115,200 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\microbiooxtra.doc
[2009/12/14 13:12:54 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix(2).exe
[2009/12/14 12:52:04 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix.exe
[2009/12/13 22:02:12 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Desktop\dds.scr
[2009/12/12 15:57:43 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Desktop\settings.dat
[2009/12/09 20:28:58 | 00,000,310 | ---- | C] () -- C:\WINDOWS\tasks\SysSchedule.job
[2009/12/09 20:10:41 | 00,000,381 | --S- | C] () -- C:\WINDOWS\System32\3188475982.dat
[2009/12/07 23:09:30 | 00,035,840 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Study Guide Immune System.doc
[2009/12/07 15:49:53 | 02,470,035 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-07).ipd
[2009/12/07 15:47:39 | 02,479,463 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\LoaderBackup-(2009-12-07).ipd
[2009/12/03 21:09:59 | 02,140,492 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-03).ipd
[2009/12/03 19:38:34 | 01,568,834 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BlackberryBackup-(2009-12-03).ipd
[2009/12/03 19:35:57 | 00,000,256 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\pool.bin
[2009/12/03 19:22:51 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/11/30 15:55:52 | 00,023,040 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Addendum.doc
[2009/11/30 15:17:52 | 00,027,136 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\AndyPersonalState.doc
[2009/03/02 14:04:05 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/03/02 14:02:25 | 00,000,227 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/03/02 14:02:25 | 00,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/03/02 14:01:32 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
[2009/03/02 14:01:29 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2009/03/02 14:01:14 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2006/12/30 04:49:33 | 00,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/07/26 02:46:02 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/11 17:02:28 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\E5647CD50D.sys
[2006/06/11 17:02:27 | 00,003,766 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/05/21 17:08:48 | 00,028,672 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/11 22:35:55 | 00,006,144 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Application Data\dvd.bmk
[2006/05/11 22:22:08 | 00,000,134 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Local Settings\Application Data\fusioncache.dat
[2006/05/04 12:00:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/04 11:55:06 | 00,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/04 11:41:28 | 00,010,820 | ---- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2006/05/04 11:40:37 | 00,022,629 | ---- | C] () -- C:\WINDOWS\System32\CiFilter.ini
[2006/05/04 11:40:12 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/05/04 11:07:02 | 01,355,938 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2006/05/04 11:06:30 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/05/04 11:06:10 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/05/04 11:06:02 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/05/04 11:05:46 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 05:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 01:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 01:18:35 | 00,282,112 | ---- | C] () -- C:\WINDOWS\System32\sbe(2).dll
[2005/08/05 11:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2001/01/22 02:25:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ATHPRXY(2).DLL

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/10/31 07:56:00 | 00,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe
[39 C:\*.tmp files -> C:\*.tmp -> ]


< MD5 for: AGP440.SYS >
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 20:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 20:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 19:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 19:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 19:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 02:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/10 02:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 02:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/10 02:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 02:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/10 02:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:32 PM

Posted 15 December 2009 - 08:31 AM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKU\S-1-5-19..\Run: [neyelafuvu] C:\WINDOWS\System32\bamutazi.DLL File not found
    O4 - HKU\S-1-5-20..\Run: [neyelafuvu] C:\WINDOWS\System32\bamutazi.DLL File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_03)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
    O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_03)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
    O27 - HKLM IFEO\brastk.exe: Debugger - svchost.exe (Microsoft Corporation)
    O27 - HKLM IFEO\install.exe: Debugger - svchost.exe (Microsoft Corporation)
    [39 C:\*.tmp files -> C:\*.tmp -> ]
    [2 C:\Documents and Settings\Andy Nguyen\Desktop\*.tmp files -> C:\Documents and Settings\Andy Nguyen\Desktop\*.tmp -> ]
    [14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\Documents and Settings\Andy Nguyen\My Documents\*.tmp files -> C:\Documents and Settings\Andy Nguyen\My Documents\*.tmp -> ]
    [2009/12/14 13:12:55 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix(2).exe
    [2009/12/14 12:52:04 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix.exe
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
    @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

=================


Next we need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 AndyAndy

AndyAndy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 16 December 2009 - 11:40 PM

Hi Sam,

I'd just like to thank you again for your help. Here are the logs requested (i uploaded rather than pasted)...please advise. Thanks!

Attached Files



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:32 PM

Posted 17 December 2009 - 09:11 AM

Please do not attach log files unless specifically requested to do. Just copy the text in the log and then paste it directly into your reply.
It makes it much easier for me to review the information if I can see it all in one place.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 AndyAndy

AndyAndy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 17 December 2009 - 08:28 PM

Hi Sam..sorry about that..i thought it would be easier organized in the attachments..

the computer seems to have improved significantly in speed; however, while browsing on bleepingcomputer.com here, i did encounter a familiar "google" ad (where they say you can make tons of money at home through google ads)..the ad took up the entire web browser..once...and it was only once.. --then..strangely...i arbitrarily tried to google "disneyland"...and whatever link i clicked there (including wikipedia) led me to a "businessbottle.com" site...no matter which of the links i clicked on that google found under "disneyland"..i was redirected there..this also included searches for "blackberry".. ...however..other search topics (such as "espn".."insurance") did not yield similar results..and came out as expected...so i'm assuming my google is only affected by popular search keywords such as "disneyland" or "blackberry"...

either way...it appears that i have not completely rid myself of my problem..

in anycase..once again, i appreciate any help that you may have to offer..thanks sam



here are the logs

this is the first otl with the fixes u put in

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\neyelafuvu deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\neyelafuvu deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}
C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\ deleted successfully.
C:\WINDOWS\System32\svchost.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\ deleted successfully.
File svchost.exe not found.
C:\Acr14A7.tmp deleted successfully.
C:\Acr14B3.tmp deleted successfully.
C:\Acr14B5.tmp deleted successfully.
C:\Acr14B7.tmp deleted successfully.
C:\Acr1685.tmp deleted successfully.
C:\Acr1687.tmp deleted successfully.
C:\Acr1689.tmp deleted successfully.
C:\Acr168B.tmp deleted successfully.
C:\Acr168D.tmp deleted successfully.
C:\Acr168F.tmp deleted successfully.
C:\Acr1691.tmp deleted successfully.
C:\Acr1693.tmp deleted successfully.
C:\Acr1695.tmp deleted successfully.
C:\Acr1697.tmp deleted successfully.
C:\Acr1699.tmp deleted successfully.
C:\Acr169B.tmp deleted successfully.
C:\Acr16A1.tmp deleted successfully.
C:\Acr16A3.tmp deleted successfully.
C:\Acr16AB.tmp deleted successfully.
C:\Acr16AD.tmp deleted successfully.
C:\Acr16AF.tmp deleted successfully.
C:\Acr16B1.tmp deleted successfully.
C:\Acr16B3.tmp deleted successfully.
C:\Acr16B5.tmp deleted successfully.
C:\Acr16B7.tmp deleted successfully.
C:\Acr16BD.tmp deleted successfully.
C:\Acr16BF.tmp deleted successfully.
C:\Acr16C5.tmp deleted successfully.
C:\Acr16C7.tmp deleted successfully.
C:\Acr16CD.tmp deleted successfully.
C:\Acr16CF.tmp deleted successfully.
C:\Acr16D5.tmp deleted successfully.
C:\Acr16D7.tmp deleted successfully.
C:\Acr16DD.tmp deleted successfully.
C:\Acr16DF.tmp deleted successfully.
C:\Acr16E5.tmp deleted successfully.
C:\Acr16E7.tmp deleted successfully.
C:\Acr16F1.tmp deleted successfully.
C:\Acr16F3.tmp deleted successfully.
C:\Documents and Settings\Andy Nguyen\Desktop\~WRL0004.tmp deleted successfully.
C:\Documents and Settings\Andy Nguyen\Desktop\~WRL0012.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET5EB.tmp deleted successfully.
C:\WINDOWS\System32\SET5EC.tmp deleted successfully.
C:\WINDOWS\System32\SET620.tmp deleted successfully.
C:\WINDOWS\System32\SET622.tmp deleted successfully.
C:\WINDOWS\System32\SET623.tmp deleted successfully.
C:\WINDOWS\System32\SET628.tmp deleted successfully.
C:\WINDOWS\System32\SET62F.tmp deleted successfully.
C:\WINDOWS\System32\SET632.tmp deleted successfully.
C:\WINDOWS\System32\SET638.tmp deleted successfully.
C:\WINDOWS\System32\SET639.tmp deleted successfully.
C:\WINDOWS\System32\SET63A.tmp deleted successfully.
C:\WINDOWS\System32\SET63B.tmp deleted successfully.
C:\WINDOWS\System32\SET63D.tmp deleted successfully.
C:\WINDOWS\003083_.tmp deleted successfully.
C:\Documents and Settings\Andy Nguyen\My Documents\~WRL0005.tmp deleted successfully.
C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix(2).exe moved successfully.
C:\Documents and Settings\Andy Nguyen\Desktop\ComboFix.exe moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Andy Nguyen
->Temp folder emptied: 1766125302 bytes
->Temporary Internet Files folder emptied: 22094388 bytes
->Java cache emptied: 1190295 bytes
->FireFox cache emptied: 998339563 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 13368 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 24005948 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 750655 bytes
RecycleBin emptied: 696 bytes

Total Files Cleaned = -1413.71 mb


OTL by OldTimer - Version 3.1.17.0 log created on 12162009_200908

Files\Folders moved on Reboot...
C:\Documents and Settings\Andy Nguyen\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp moved successfully.
C:\Documents and Settings\Andy Nguyen\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp moved successfully.

Registry entries deleted on Reboot...


=============================

this is the otl following the runfix

OTL logfile created on: 12/16/2009 8:19:30 PM - Run 2
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Andy Nguyen\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.37 Mb Total Physical Memory | 352.88 Mb Available Physical Memory | 34.79% Memory free
2.38 Gb Paging File | 1.73 Gb Available in Paging File | 72.74% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.80 Gb Total Space | 14.95 Gb Free Space | 30.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DHWTJY91
Current User Name: Andy Nguyen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/16 20:13:43 | 00,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\Andy Nguyen\Local Settings\Temp\clclean.0001
PRC - [2009/12/14 19:36:38 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
PRC - [2009/12/12 17:00:00 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2009/12/12 15:53:12 | 02,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/08 03:39:24 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/13 22:57:34 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/09/13 22:57:24 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/09/13 22:56:59 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/08/31 11:25:16 | 00,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2008/10/24 09:14:36 | 00,206,112 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2008/07/08 16:41:02 | 02,828,184 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\RegMech.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/15 13:11:04 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/11/15 13:10:54 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/03/15 17:16:42 | 00,454,784 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.) -- C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
PRC - [2006/05/04 11:40:57 | 00,069,632 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2006/03/10 09:45:12 | 00,035,328 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2006/03/08 01:48:02 | 00,761,947 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/01/09 08:33:24 | 00,417,792 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/01/02 06:13:52 | 01,126,400 | ---- | M] (Andrea Electronics Corporation) -- C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
PRC - [2005/12/19 12:08:42 | 01,347,584 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2005/12/19 12:08:42 | 00,018,944 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2005/12/19 12:08:40 | 01,200,128 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2005/12/15 07:44:52 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
PRC - [2005/12/13 06:45:00 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/12/13 06:41:08 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/12/13 06:41:00 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2005/11/11 18:30:22 | 00,995,328 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2005/10/31 07:51:52 | 00,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2005/10/05 00:12:00 | 00,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/09/08 02:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/04/13 02:48:52 | 00,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
PRC - [2004/12/02 15:23:34 | 00,102,400 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
PRC - [2004/04/07 09:07:32 | 01,135,728 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2003/10/28 23:06:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/09/09 23:24:00 | 00,020,480 | ---- | M] () -- C:\Program Files\NetWaiting\netwaiting.exe
PRC - [2003/08/01 07:31:06 | 00,061,440 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [1999/12/12 14:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE


========== Modules (SafeList) ==========

MOD - [2009/12/14 19:36:38 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
MOD - [2003/08/01 07:25:02 | 00,006,144 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\idlemon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SSDPSRVAlerter)
SRV - [2009/09/13 22:56:59 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/07/08 12:31:36 | 00,313,840 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2009/07/08 12:31:32 | 00,170,480 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2009/07/08 12:31:12 | 01,108,464 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2009/01/21 12:08:06 | 01,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 11:40:56 | 00,348,752 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2007/12/06 23:20:56 | 00,088,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2007/12/06 23:20:52 | 00,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2007/11/15 13:10:54 | 00,504,104 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/05/04 11:40:57 | 00,069,632 | ---- | M] (Creative Labs) [Auto | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2005/12/19 12:08:42 | 00,018,944 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2005/12/15 07:44:52 | 00,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/04/07 09:07:32 | 01,135,728 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [1999/12/12 14:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)


========== Driver Services (SafeList) ==========

DRV - [2009/10/12 01:49:01 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/09/20 23:22:20 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/13 22:57:33 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/09/13 22:57:33 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/04/03 10:18:26 | 00,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/03/23 13:07:28 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/03/23 13:07:26 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/01/09 16:18:02 | 00,027,136 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2008/05/20 18:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RimUsb.sys -- (RimUsb)
DRV - [2008/04/13 10:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 10:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/31 14:09:14 | 00,030,464 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2007/05/01 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/03/22 11:57:14 | 00,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 11:57:14 | 00,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/05/04 11:46:37 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/03/08 01:35:10 | 00,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/01/09 08:39:56 | 01,099,304 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/04 04:41:48 | 01,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2005/12/13 07:09:34 | 01,364,574 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/12/01 04:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 04:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 04:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/11/02 16:24:34 | 00,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/10/05 01:57:08 | 00,012,544 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/09/12 00:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 02:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 02:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 02:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 02:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 02:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 02:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 02:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 09:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 09:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 13:50:46 | 00,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/12 02:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/08/05 00:32:16 | 00,045,312 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/07/14 07:58:14 | 00,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/07/14 06:28:38 | 00,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/07/12 08:00:30 | 00,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/05/25 06:34:00 | 00,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN)
DRV - [2005/01/10 07:15:00 | 00,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/01/10 07:15:00 | 00,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2004/10/15 13:50:20 | 00,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2004/09/29 03:24:38 | 00,051,712 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
DRV - [2004/08/10 02:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/10 02:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2004/08/03 19:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/01/10 04:28:18 | 00,011,648 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2003/01/10 13:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 11:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 11:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 11:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 11:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 11:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 10:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 10:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 10:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 10:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 10:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 10:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 10:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 10:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 10:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 10:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 09:12:10 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005\S-1-5-21-4280872176-1379788547-4133381378-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\S-1-5-21-4280872176-1379788547-4133381378-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.424
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {8CE11043-9A15-4207-A565-0C94C42D590D}:1.0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/11/02 12:54:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/09 20:25:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/08 03:39:37 | 00,000,000 | ---D | M]

[2009/03/01 02:39:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla\Extensions
[2009/12/14 22:25:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\extensions
[2009/05/17 23:31:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\extensions\moveplayer@movenetworks.com
[2009/12/14 22:25:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/13 00:03:07 | 00,000,000 | ---D | M] (Internal security) -- C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
[2009/11/19 03:58:20 | 01,253,376 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\k-wbmWctS7-n-g.dll
[2009/12/09 21:07:23 | 00,001,210 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\search.xml

O1 HOSTS File: (98 bytes) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MBMon] C:\WINDOWS\System32\CTMBHA.DLL ()
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VoiceCenter] C:\Program Files\Creative\VoiceCenter\AndreaVC.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl File not found
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [Google Update] C:\Documents and Settings\Andy Nguyen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4280872176-1379788547-4133381378-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4280872176-1379788547-4133381378-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKLM\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1147674304390 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 01:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{3957ae0e-36a7-11dd-a0c4-00038a000015}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/16 20:09:08 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/14 19:36:37 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
[2009/12/14 19:35:30 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/14 19:35:28 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/14 19:35:28 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/14 19:32:36 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy Nguyen\Desktop\mbam-setup(2).exe
[2009/12/13 00:03:08 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\SystemProc
[2009/12/12 15:54:54 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Andy Nguyen\Desktop\RootRepeal.exe
[2009/12/09 20:28:52 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\System
[2009/12/09 20:28:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\Mozilla Firefox
[2009/12/09 20:23:32 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andy Nguyen\.COMMgr
[2009/12/09 20:21:18 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\WSFHMKGWXED_APDM
[2009/12/09 20:19:49 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\1b12879
[2009/12/03 22:54:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2009/12/03 22:54:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andy Nguyen\Application Data\Roxio
[2009/12/03 19:22:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/10/12 01:35:18 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/10/12 01:35:18 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/10/12 01:35:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/10/12 01:35:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/05/14 13:25:38 | 05,115,704 | ---- | C] (Mozilla) -- C:\Program Files\Firefox Setup 1.5.0.3.exe

========== Files - Modified Within 30 Days ==========

[2009/12/16 20:14:09 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/12/16 20:12:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/16 20:12:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/16 20:12:41 | 10,637,14816 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/16 20:11:47 | 04,456,448 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\ntuser.dat
[2009/12/16 20:11:47 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Andy Nguyen\ntuser.ini
[2009/12/16 20:09:27 | 00,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2009/12/14 22:38:00 | 00,001,002 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4280872176-1379788547-4133381378-1005UA.job
[2009/12/14 19:36:38 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andy Nguyen\Desktop\OTL.exe
[2009/12/14 19:35:33 | 00,000,708 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 19:35:33 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 19:33:01 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy Nguyen\Desktop\mbam-setup(2).exe
[2009/12/14 13:47:23 | 00,115,200 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\microbiooxtra.doc
[2009/12/14 12:51:08 | 46,607,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/14 12:51:08 | 00,123,841 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/13 22:02:13 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\dds.scr
[2009/12/13 20:38:01 | 00,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4280872176-1379788547-4133381378-1005Core.job
[2009/12/12 18:00:03 | 00,000,310 | ---- | M] () -- C:\WINDOWS\tasks\SysSchedule.job
[2009/12/12 16:06:01 | 00,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2009/12/12 15:57:43 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\Desktop\settings.dat
[2009/12/12 15:54:55 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Andy Nguyen\Desktop\RootRepeal.exe
[2009/12/10 10:16:30 | 00,525,462 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/10 10:16:30 | 00,443,910 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/10 10:16:30 | 00,072,652 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/10 09:43:15 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/10 09:36:50 | 00,000,381 | --S- | M] () -- C:\WINDOWS\System32\3188475982.dat
[2009/12/09 20:44:23 | 00,006,811 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.new
[2009/12/07 23:12:57 | 00,071,530 | ---- | M] () -- C:\WINDOWS\War3Unin.dat
[2009/12/07 23:09:32 | 00,035,840 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Study Guide Immune System.doc
[2009/12/07 15:50:07 | 02,470,035 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-07).ipd
[2009/12/07 15:47:39 | 02,479,463 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\LoaderBackup-(2009-12-07).ipd
[2009/12/07 14:02:19 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/03 22:44:49 | 00,263,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/03 21:10:09 | 02,140,492 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-03).ipd
[2009/12/03 19:38:46 | 01,568,834 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BlackberryBackup-(2009-12-03).ipd
[2009/12/03 19:35:57 | 00,000,256 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\pool.bin
[2009/12/03 19:22:51 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/30 15:55:52 | 00,023,040 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Addendum.doc
[2009/11/30 15:17:52 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\Andy Nguyen\My Documents\AndyPersonalState.doc
[2009/11/25 20:16:21 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/11/25 20:16:21 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg

========== Files Created - No Company Name ==========

[2009/12/14 19:35:33 | 00,000,708 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 19:35:33 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 13:47:23 | 00,115,200 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\microbiooxtra.doc
[2009/12/13 22:02:12 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Desktop\dds.scr
[2009/12/12 15:57:43 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Desktop\settings.dat
[2009/12/09 20:28:58 | 00,000,310 | ---- | C] () -- C:\WINDOWS\tasks\SysSchedule.job
[2009/12/09 20:10:41 | 00,000,381 | --S- | C] () -- C:\WINDOWS\System32\3188475982.dat
[2009/12/07 23:09:30 | 00,035,840 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Study Guide Immune System.doc
[2009/12/07 15:49:53 | 02,470,035 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-07).ipd
[2009/12/07 15:47:39 | 02,479,463 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\LoaderBackup-(2009-12-07).ipd
[2009/12/03 21:09:59 | 02,140,492 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BBackup-(2009-12-03).ipd
[2009/12/03 19:38:34 | 01,568,834 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\BlackberryBackup-(2009-12-03).ipd
[2009/12/03 19:35:57 | 00,000,256 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\pool.bin
[2009/12/03 19:22:51 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/11/30 15:55:52 | 00,023,040 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\Addendum.doc
[2009/11/30 15:17:52 | 00,027,136 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\My Documents\AndyPersonalState.doc
[2009/03/02 14:04:05 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/03/02 14:02:25 | 00,000,227 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/03/02 14:02:25 | 00,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/03/02 14:01:32 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
[2009/03/02 14:01:29 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2009/03/02 14:01:14 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2006/12/30 04:49:33 | 00,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/07/26 02:46:02 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/11 17:02:28 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\E5647CD50D.sys
[2006/06/11 17:02:27 | 00,003,766 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/05/21 17:08:48 | 00,028,672 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/11 22:35:55 | 00,006,144 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Application Data\dvd.bmk
[2006/05/11 22:22:08 | 00,000,134 | ---- | C] () -- C:\Documents and Settings\Andy Nguyen\Local Settings\Application Data\fusioncache.dat
[2006/05/04 12:00:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/04 11:55:06 | 00,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/04 11:41:28 | 00,010,820 | ---- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2006/05/04 11:40:37 | 00,022,629 | ---- | C] () -- C:\WINDOWS\System32\CiFilter.ini
[2006/05/04 11:40:12 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/05/04 11:07:02 | 01,355,938 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2006/05/04 11:06:30 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/05/04 11:06:10 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/05/04 11:06:02 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/05/04 11:05:46 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 05:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 01:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 01:18:35 | 00,282,112 | ---- | C] () -- C:\WINDOWS\System32\sbe(2).dll
[2005/08/05 11:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2001/01/22 02:25:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ATHPRXY(2).DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >


=============================

and this is the tdss log...



Host Name: DHWTJY91
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Andy Nguyen
Registered Organization:
Product ID: 76487-OEM-0011903-00825
Original Install Date: 5/11/2006, 11:21:53 PM
System Up Time: 0 Days, 0 Hours, 17 Minutes, 8 Seconds
System Manufacturer: Dell Inc.
System Model: MXC061
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 14 Stepping 8 GenuineIntel ~1828 Mhz
BIOS Version: DELL - 27d60310
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 1,014 MB
Available Physical Memory: 356 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,004 MB
Virtual Memory: In Use: 44 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\DHWTJY91
Hotfix(s): 209 Hotfix(s) Installed.
[01]: EmeraldQFE2 - Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: Q147222
[93]: KB887998 - QFE
[94]: KB930494 - QFE
[95]: KB953295 - QFE
[96]: SP3 - SP
[97]: M953297 - Update
[98]: S867460 - Update
[99]: KB900325 - Update
[100]: Q827429
[101]: Q927978
[102]: Q936181
[103]: Q954430
[104]: Q973688
[105]: IDNMitigationAPIs - Update
[106]: NLSDownlevelMapping - Update
[107]: KB952069_WM9
[108]: KB954155_WM9
[109]: KB973540_WM9
[110]: KB911565
[111]: KB913800
[112]: KB917734_WMP10
[113]: KB926251
[114]: KB936782_WMP10
[115]: EmeraldQFE2 - Update
[116]: KB925398_WMP64
[117]: KB923689
[118]: KB941569
[119]: KB938127-IE7 - Update
[120]: KB938127-v2-IE7 - Update
[121]: KB956390-IE7 - Update
[122]: KB958215-IE7 - Update
[123]: KB960714-IE7 - Update
[124]: KB961260-IE7 - Update
[125]: KB963027-IE7 - Update
[126]: KB969897-IE7 - Update
[127]: KB972260-IE7 - Update
[128]: KB974455-IE7 - Update
[129]: KB976325-IE7 - Update
[130]: KB976749-IE7 - Update
[131]: KB936929 - Service Pack
[132]: KB953295 - Update
[133]: KB923561 - Update
[134]: KB938464 - Update
[135]: KB938464-v2 - Update
[136]: KB946648 - Update
[137]: KB950759 - Update
[138]: KB950760 - Update
[139]: KB950762 - Update
[140]: KB950974 - Update
[141]: KB951066 - Update
[142]: KB951072-v2 - Update
[143]: KB951376 - Update
[144]: KB951376-v2 - Update
[145]: KB951698 - Update
[146]: KB951748 - Update
[147]: KB951978 - Update
[148]: KB952004 - Update
[149]: KB952287 - Update
[150]: KB952954 - Update
[151]: KB953838 - Update
[152]: KB953839 - Update
[153]: KB954211 - Update
[154]: KB954459 - Update
[155]: KB954550-v5 - Update
[156]: KB954600 - Update
[157]: KB955069 - Update
[158]: KB955839 - Update
[159]: KB956391 - Update
[160]: KB956572 - Update
[161]: KB956744 - Update
[162]: KB956802 - Update
[163]: KB956803 - Update
[164]: KB956841 - Update
[165]: KB957095 - Update
[166]: KB957097 - Update
[167]: KB958644 - Update
[168]: KB958687 - Update
[169]: KB958690 - Update
[170]: KB958869 - Update
[171]: KB959426 - Update
[172]: KB960225 - Update
[173]: KB960715 - Update
[174]: KB960803 - Update
[175]: KB960859 - Update
[176]: KB961118 - Update
[177]: KB961371 - Update
[178]: KB961373 - Update
[179]: KB961501 - Update
[180]: KB967715 - Update
[181]: KB968389 - Update
[182]: KB968537 - Update
[183]: KB969059 - Update
[184]: KB969898 - Update
[185]: KB969947 - Update
[186]: KB970238 - Update
[187]: KB970430 - Update
[188]: KB970653-v3 - Update
[189]: KB971486 - Update
[190]: KB971557 - Update
[191]: KB971633 - Update
[192]: KB971657 - Update
[193]: KB971737 - Update
[194]: KB973346 - Update
[195]: KB973354 - Update
[196]: KB973507 - Update
[197]: KB973525 - Update
[198]: KB973687 - Update
[199]: KB973815 - Update
[200]: KB973869 - Update
[201]: KB973904 - Update
[202]: KB974112 - Update
[203]: KB974318 - Update
[204]: KB974392 - Update
[205]: KB974571 - Update
[206]: KB975025 - Upda

NetWork Card(s): 3 NIC(s) Installed.
[01]: Broadcom 440x 10/100 Integrated Controller
Connection Name: Local Area Connection
Status: Media disconnected
[02]: Dell Wireless 1390 WLAN Mini-Card
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.0.1
IP address(es)
[01]: 192.168.0.100
[03]: 1394 Net Adapter
Connection Name: 1394 Connection
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
20:29:19:171 3868 ForceUnloadDriver: NtUnloadDriver error 2
20:29:19:171 3868 ForceUnloadDriver: NtUnloadDriver error 2
20:29:19:171 3868 ForceUnloadDriver: NtUnloadDriver error 2
20:29:19:171 3868 main: Driver KLMD successfully dropped
20:29:19:359 3868 main: Driver KLMD successfully loaded
20:29:19:359 3868
Scanning Registry ...
20:29:19:375 3868 ScanServices: Searching service UACd.sys
20:29:19:375 3868 ScanServices: Open/Create key error 2
20:29:19:375 3868 ScanServices: Searching service TDSSserv.sys
20:29:19:375 3868 ScanServices: Open/Create key error 2
20:29:19:375 3868 ScanServices: Searching service gaopdxserv.sys
20:29:19:375 3868 ScanServices: Open/Create key error 2
20:29:19:375 3868 ScanServices: Searching service gxvxcserv.sys
20:29:19:375 3868 ScanServices: Open/Create key error 2
20:29:19:375 3868 ScanServices: Searching service MSIVXserv.sys
20:29:19:375 3868 ScanServices: Open/Create key error 2
20:29:19:390 3868 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
20:29:19:390 3868 UnhookRegistry: Kernel local addr: E40000
20:29:19:406 3868 UnhookRegistry: KeServiceDescriptorTable addr: EC5700
20:29:19:484 3868 UnhookRegistry: KiServiceTable addr: E6D460
20:29:19:500 3868 UnhookRegistry: NtEnumerateKey service number (local): 47
20:29:19:500 3868 UnhookRegistry: NtEnumerateKey local addr: F8CFF2
20:29:19:500 3868 KLMD_OpenDevice: Trying to open KLMD device
20:29:19:500 3868 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
20:29:19:500 3868 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
20:29:19:500 3868 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
20:29:19:500 3868 UnhookRegistry: NtEnumerateKey service number (kernel): 47
20:29:19:500 3868 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
20:29:19:500 3868 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
20:29:19:500 3868 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
20:29:19:500 3868 UnhookRegistry: No SDT hooks found on NtEnumerateKey
20:29:19:500 3868 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
20:29:19:500 3868 UnhookRegistry: No splicing found on NtEnumerateKey
20:29:19:500 3868
Scanning Kernel memory ...
20:29:19:500 3868 KLMD_OpenDevice: Trying to open KLMD device
20:29:19:500 3868 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
20:29:19:500 3868 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:29:19:500 3868 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86FC52E8
20:29:19:500 3868 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
20:29:19:500 3868 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86FCFC68
20:29:19:500 3868 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FCFC68
20:29:19:500 3868 KLMD_ReadMem: Trying to ReadMemory 0x86FCFC68[0x38]
20:29:19:500 3868 DetectCureTDL3: DRIVER_OBJECT addr: 86FC52E8
20:29:19:500 3868 KLMD_ReadMem: Trying to ReadMemory 0x86FC52E8[0xA8]
20:29:19:500 3868 KLMD_ReadMem: Trying to ReadMemory 0xE1001638[0x208]
20:29:19:500 3868 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:29:19:500 3868 DetectCureTDL3: IrpHandler (0) addr: F7603BB0
20:29:19:500 3868 DetectCureTDL3: IrpHandler (1) addr: 804F4562
20:29:19:500 3868 DetectCureTDL3: IrpHandler (2) addr: F7603BB0
20:29:19:500 3868 DetectCureTDL3: IrpHandler (3) addr: F75FDD1F
20:29:19:515 3868 DetectCureTDL3: IrpHandler (4) addr: F75FDD1F
20:29:19:515 3868 DetectCureTDL3: IrpHandler (5) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (6) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (7) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (8) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (9) addr: F75FE2E2
20:29:19:515 3868 DetectCureTDL3: IrpHandler (10) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (11) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (12) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (13) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (14) addr: F75FE3BB
20:29:19:515 3868 DetectCureTDL3: IrpHandler (15) addr: F7601F28
20:29:19:515 3868 DetectCureTDL3: IrpHandler (16) addr: F75FE2E2
20:29:19:515 3868 DetectCureTDL3: IrpHandler (17) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (18) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (19) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (20) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (21) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (22) addr: F75FFC82
20:29:19:515 3868 DetectCureTDL3: IrpHandler (23) addr: F760499E
20:29:19:515 3868 DetectCureTDL3: IrpHandler (24) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (25) addr: 804F4562
20:29:19:515 3868 DetectCureTDL3: IrpHandler (26) addr: 804F4562
20:29:19:515 3868 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
20:29:19:515 3868 KLMD_ReadMem: DeviceIoControl error 1
20:29:19:515 3868 TDL3_StartIoHookDetect: Unable to get StartIo handler code
20:29:19:515 3868 TDL3_FileDetect: Processing driver: Disk
20:29:19:515 3868 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
20:29:19:515 3868 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
20:29:19:515 3868 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
20:29:19:625 3868 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86F75C68
20:29:19:625 3868 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F75C68
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0x86F75C68[0x38]
20:29:19:625 3868 DetectCureTDL3: DRIVER_OBJECT addr: 86FC52E8
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0x86FC52E8[0xA8]
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0xE1001638[0x208]
20:29:19:625 3868 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:29:19:625 3868 DetectCureTDL3: IrpHandler (0) addr: F7603BB0
20:29:19:625 3868 DetectCureTDL3: IrpHandler (1) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (2) addr: F7603BB0
20:29:19:625 3868 DetectCureTDL3: IrpHandler (3) addr: F75FDD1F
20:29:19:625 3868 DetectCureTDL3: IrpHandler (4) addr: F75FDD1F
20:29:19:625 3868 DetectCureTDL3: IrpHandler (5) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (6) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (7) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (8) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (9) addr: F75FE2E2
20:29:19:625 3868 DetectCureTDL3: IrpHandler (10) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (11) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (12) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (13) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (14) addr: F75FE3BB
20:29:19:625 3868 DetectCureTDL3: IrpHandler (15) addr: F7601F28
20:29:19:625 3868 DetectCureTDL3: IrpHandler (16) addr: F75FE2E2
20:29:19:625 3868 DetectCureTDL3: IrpHandler (17) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (18) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (19) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (20) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (21) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (22) addr: F75FFC82
20:29:19:625 3868 DetectCureTDL3: IrpHandler (23) addr: F760499E
20:29:19:625 3868 DetectCureTDL3: IrpHandler (24) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (25) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (26) addr: 804F4562
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
20:29:19:625 3868 KLMD_ReadMem: DeviceIoControl error 1
20:29:19:625 3868 TDL3_StartIoHookDetect: Unable to get StartIo handler code
20:29:19:625 3868 TDL3_FileDetect: Processing driver: Disk
20:29:19:625 3868 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
20:29:19:625 3868 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
20:29:19:625 3868 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
20:29:19:625 3868 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86EF9C68
20:29:19:625 3868 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86EF9C68
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0x86EF9C68[0x38]
20:29:19:625 3868 DetectCureTDL3: DRIVER_OBJECT addr: 86FC52E8
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0x86FC52E8[0xA8]
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0xE1001638[0x208]
20:29:19:625 3868 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:29:19:625 3868 DetectCureTDL3: IrpHandler (0) addr: F7603BB0
20:29:19:625 3868 DetectCureTDL3: IrpHandler (1) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (2) addr: F7603BB0
20:29:19:625 3868 DetectCureTDL3: IrpHandler (3) addr: F75FDD1F
20:29:19:625 3868 DetectCureTDL3: IrpHandler (4) addr: F75FDD1F
20:29:19:625 3868 DetectCureTDL3: IrpHandler (5) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (6) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (7) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (8) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (9) addr: F75FE2E2
20:29:19:625 3868 DetectCureTDL3: IrpHandler (10) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (11) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (12) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (13) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (14) addr: F75FE3BB
20:29:19:625 3868 DetectCureTDL3: IrpHandler (15) addr: F7601F28
20:29:19:625 3868 DetectCureTDL3: IrpHandler (16) addr: F75FE2E2
20:29:19:625 3868 DetectCureTDL3: IrpHandler (17) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (18) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (19) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (20) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (21) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (22) addr: F75FFC82
20:29:19:625 3868 DetectCureTDL3: IrpHandler (23) addr: F760499E
20:29:19:625 3868 DetectCureTDL3: IrpHandler (24) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (25) addr: 804F4562
20:29:19:625 3868 DetectCureTDL3: IrpHandler (26) addr: 804F4562
20:29:19:625 3868 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
20:29:19:625 3868 KLMD_ReadMem: DeviceIoControl error 1
20:29:19:625 3868 TDL3_StartIoHookDetect: Unable to get StartIo handler code
20:29:19:625 3868 TDL3_FileDetect: Processing driver: Disk
20:29:19:625 3868 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
20:29:19:625 3868 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
20:29:19:625 3868 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
20:29:19:640 3868 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86EFAAB8
20:29:19:640 3868 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86EFAAB8
20:29:19:640 3868 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86FD2940
20:29:19:640 3868 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FD2940
20:29:19:640 3868 KLMD_ReadMem: Trying to ReadMemory 0x86FD2940[0x38]
20:29:19:640 3868 DetectCureTDL3: DRIVER_OBJECT addr: 86F78200
20:29:19:640 3868 KLMD_ReadMem: Trying to ReadMemory 0x86F78200[0xA8]
20:29:19:640 3868 KLMD_ReadMem: Trying to ReadMemory 0x86FD3030[0x38]
20:29:19:640 3868 KLMD_ReadMem: Trying to ReadMemory 0x86FD48A8[0xA8]
20:29:19:640 3868 KLMD_ReadMem: Trying to ReadMemory 0xE10191A0[0x208]
20:29:19:640 3868 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
20:29:19:640 3868 DetectCureTDL3: IrpHandler (0) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (1) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (2) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (3) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (4) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (5) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (6) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (7) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (8) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (9) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (10) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (11) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (12) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (13) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (14) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (15) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (16) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (17) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (18) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (19) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (20) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (21) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (22) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (23) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (24) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (25) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: IrpHandler (26) addr: 86F01618
20:29:19:640 3868 DetectCureTDL3: All IRP handlers pointed to one addr: 86F01618
20:29:19:640 3868 KLMD_ReadMem: Trying to ReadMemory 0x86F01618[0x400]
20:29:19:640 3868 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
20:29:19:640 3868 Driver "atapi" Irp handler infected by TDSS rootkit ... 20:29:19:640 3868 KLMD_WriteMem: Trying to WriteMemory 0x86F0167D[0xD]
20:29:19:640 3868 cured
20:29:19:640 3868 KLMD_ReadMem: Trying to ReadMemory 0x86F014BF[0x400]
20:29:19:640 3868 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1
20:29:19:640 3868 Driver "atapi" StartIo handler infected by TDSS rootkit ... 20:29:19:640 3868 TDL3_StartIoHookCure: Number of patches 1
20:29:19:640 3868 KLMD_WriteMem: Trying to WriteMemory 0x86F015B6[0x6]
20:29:19:640 3868 cured
20:29:19:640 3868 TDL3_FileDetect: Processing driver: atapi
20:29:19:640 3868 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
20:29:19:640 3868 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
20:29:19:640 3868 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
20:29:19:656 3868 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 20:29:19:656 3868 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
20:29:19:656 3868 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
20:29:19:671 3868 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_atapi.sys
20:29:19:734 3868 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
20:29:19:734 3868 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_atapi.sys, C:\WINDOWS\system32\drivers\atapi.sys) success
20:29:19:734 3868 will be cured on next reboot
20:29:19:734 3868
Completed

Results:
20:29:19:734 3868 Infected objects in memory: 2
20:29:19:734 3868 Cured objects in memory: 2
20:29:19:734 3868 Infected objects on disk: 1
20:29:19:734 3868 Objects on disk cured on reboot: 1
20:29:19:734 3868 Objects on disk deleted on reboot: 0
20:29:19:734 3868 Registry nodes deleted on reboot: 0
20:29:19:734 3868

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:32 PM

Posted 18 December 2009 - 08:30 AM

Please download ComboFix from this link:

Combofix


Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 AndyAndy

AndyAndy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 18 December 2009 - 10:16 PM

Hi Sam.

Interesting thing happened when i tried running combofix...it told me to stop all virus scanners...avg...i did...in fact, i did that prior to running the program...however, another window from combofix popped up asking me to shutdown avg...when i had already turned it off...not knowing what else to do, i went ahead and scanned...

well, here is the log..thanks sam

ComboFix 09-12-18.01 - Andy Nguyen 12/18/2009 17:49:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.499 [GMT -8:00]
Running from: c:\documents and settings\Andy Nguyen\Desktop\KittyFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ANDYNG~1\LOCALS~1\Temp\clclean.0001.dir.0002\~df394b.tmp
c:\documents and settings\Andy Nguyen\Local Settings\Temp\clclean.0001.dir.0002\~df394b.tmp
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\EventSystem.log
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\3188475982.dat
c:\windows\system32\ATHPRXY(2).DLL
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\Data
c:\windows\system32\nobalulo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSDPSRVALERTER
-------\Service_SSDPSRVAlerter


((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-17 04:29 . 2009-12-17 04:29 96512 ----a-w- c:\windows\system32\drivers\tsk_atapi.sys
2009-12-17 04:29 . 2009-12-17 04:29 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2009-12-17 04:09 . 2009-12-17 04:09 -------- d-----w- C:\_OTL
2009-12-15 03:35 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 03:35 . 2009-12-15 03:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 03:35 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 08:03 . 2009-12-13 08:03 -------- d-sh--w- c:\documents and settings\Andy Nguyen\Application Data\SystemProc
2009-12-10 04:28 . 2009-12-13 22:05 -------- d-sh--w- c:\documents and settings\Andy Nguyen\Application Data\System
2009-12-10 04:28 . 2009-12-10 04:28 -------- d-----w- c:\documents and settings\Andy Nguyen\Application Data\Mozilla Firefox
2009-12-10 04:23 . 2009-12-10 05:07 -------- d-sh--w- c:\documents and settings\Andy Nguyen\.COMMgr
2009-12-10 04:21 . 2009-12-10 04:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSFHMKGWXED_APDM
2009-12-10 04:19 . 2009-12-13 01:09 -------- d-sh--w- c:\documents and settings\All Users\Application Data\1b12879
2009-12-04 06:54 . 2009-12-04 06:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2009-12-04 06:54 . 2009-12-04 07:03 -------- d-----w- c:\documents and settings\Andy Nguyen\Application Data\Roxio
2009-12-04 03:35 . 2009-12-04 03:35 256 ----a-w- c:\documents and settings\Andy Nguyen\pool.bin
2009-12-04 03:22 . 2009-12-04 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 01:59 . 2009-04-28 22:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-19 01:09 . 2008-09-19 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-17 04:31 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-13 08:03 . 2009-12-13 08:03 58880 --sh--w- c:\documents and settings\Andy Nguyen\Application Data\SystemProc\lsass.exe
2009-12-13 01:01 . 2009-04-29 02:46 117760 ----a-w- c:\documents and settings\Andy Nguyen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-13 01:00 . 2009-04-29 02:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-13 00:06 . 2008-10-20 06:28 256 ----a-w- c:\windows\system32\pool.bin
2009-12-10 06:55 . 2006-05-04 19:52 -------- d-----w- c:\program files\Trend Micro
2009-12-10 05:18 . 2009-12-10 05:49 180010 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-08 08:59 . 2006-05-16 03:46 -------- d-----w- c:\program files\Warcraft III
2009-12-08 07:12 . 2006-05-16 03:50 71530 ----a-w- c:\windows\War3Unin.dat
2009-12-07 23:42 . 2006-05-16 03:31 -------- d-----w- c:\documents and settings\Andy Nguyen\Application Data\AdobeUM
2009-12-04 07:03 . 2008-10-20 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-12-04 06:30 . 2006-05-04 19:39 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-04 06:29 . 2006-05-04 19:55 -------- d-----w- c:\program files\Roxio
2009-12-04 06:28 . 2006-05-04 19:39 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-04 03:25 . 2008-10-20 01:48 -------- d-----w- c:\program files\Research In Motion
2009-12-04 03:22 . 2008-10-20 01:48 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-26 04:03 . 2009-12-12 23:53 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 04:03 . 2009-12-12 23:53 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-26 04:03 . 2009-12-12 23:53 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-19 20:37 . 2007-11-28 06:57 -------- d-----w- c:\program files\PokerStars
2009-11-11 08:28 . 2009-11-11 08:28 247280 ----a-w- c:\documents and settings\Andy Nguyen\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-08 11:39 . 2009-12-10 04:21 457688 ----a-w- c:\documents and settings\All Users\Application Data\1b12879\sqlite3.dll
2009-11-08 11:39 . 2009-12-10 04:21 722392 ----a-w- c:\documents and settings\All Users\Application Data\1b12879\mozcrt19.dll
2009-10-29 07:46 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-22 11:24 . 2009-10-22 11:24 -------- d-----r- c:\documents and settings\Andy Nguyen\Application Data\Brother
2009-10-21 05:38 . 2005-08-16 09:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 09:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 09:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 09:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 09:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 09:49 . 2009-10-12 09:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2006-05-14 21:26 . 2006-05-14 21:25 5115704 ----a-w- c:\program files\Firefox Setup 1.5.0.3.exe
2009-11-19 11:58 . 2009-12-10 04:25 1253376 ----a-w- c:\program files\mozilla firefox\components\k-wbmWctS7-n-g.dll
2007-04-14 03:15 . 2006-06-12 01:02 88 --sh--r- c:\windows\system32\E5647CD50D.sys
2007-04-14 03:15 . 2006-06-12 01:02 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2009-12-17 04:31 . 2D8CB6936603BE67F44A008DF7956BDD . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-13 2001648]
"Google Update"="c:\documents and settings\Andy Nguyen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-01-09 417792]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-03-03 1355938]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-03-10 35328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"SetDefPrt"="c:\program files\Brother\Brmfl05c\BrStDvPt.exe" [2005-01-27 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-12 995328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-4 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-21 07:22 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-14 06:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Andy Nguyen\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Documents and Settings\\Andy Nguyen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Andy Nguyen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2009 2:47 PM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/5/2008 6:47 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 1:49 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/5/2008 6:47 PM 297752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2009 2:46 PM 348752]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\k-wbmWctS7-n-g.dll
FF - plugin: c:\documents and settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Andy Nguyen\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Andy Nguyen\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Dell Game Console - c:\program files\WildTangent\Apps\Dell Game Console\Uninstall.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\\mtsAxInstaller.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 18:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\docume~1\ANDYNG~1\LOCALS~1\Temp\clclean.0001
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-18 18:09:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-19 02:08

Pre-Run: 15,833,374,720 bytes free
Post-Run: 15,723,438,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - D42A6FB9AA093A19DEDEF8AE4E4733BD

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:32 PM

Posted 19 December 2009 - 11:44 AM

That happens sometimes with Combofix. You did exactly the right thing by making sure AVG was disabled and then running it. :(

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 AndyAndy

AndyAndy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 19 December 2009 - 08:15 PM

Hi Sam,

I'm still redirected when i search and click on links such as "disneyland" and "blackberry" (on google)...i also still have tthat takeover type ad...(ad served by primawega)...

...am i doing something wrong?

here is the log..

thanks again for your help sam

ComboFix 09-12-18.01 - Andy Nguyen 12/19/2009 16:34:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.232 [GMT -8:00]
Running from: c:\documents and settings\Andy Nguyen\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\Andy Nguyen\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ANDYNG~1\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Andy Nguyen\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-17 04:29 . 2009-12-17 04:29 96512 ----a-w- c:\windows\system32\drivers\tsk_atapi.sys
2009-12-17 04:29 . 2009-12-17 04:29 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2009-12-17 04:09 . 2009-12-17 04:09 -------- d-----w- C:\_OTL
2009-12-15 03:35 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 03:35 . 2009-12-15 03:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 03:35 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 08:03 . 2009-12-13 08:03 -------- d-sh--w- c:\documents and settings\Andy Nguyen\Application Data\SystemProc
2009-12-13 08:03 . 2009-12-13 08:03 58880 --sh--w- c:\documents and settings\Andy Nguyen\Application Data\SystemProc\lsass.exe
2009-12-12 23:53 . 2009-11-26 04:03 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-12 23:53 . 2009-11-26 04:03 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-12 23:53 . 2009-11-26 04:03 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-10 04:28 . 2009-12-13 22:05 -------- d-sh--w- c:\documents and settings\Andy Nguyen\Application Data\System
2009-12-10 04:28 . 2009-12-10 04:28 -------- d-----w- c:\documents and settings\Andy Nguyen\Application Data\Mozilla Firefox
2009-12-10 04:23 . 2009-12-10 05:07 -------- d-sh--w- c:\documents and settings\Andy Nguyen\.COMMgr
2009-12-10 04:21 . 2009-12-10 04:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSFHMKGWXED_APDM
2009-12-10 04:21 . 2009-11-08 11:39 457688 ----a-w- c:\documents and settings\All Users\Application Data\1b12879\sqlite3.dll
2009-12-10 04:21 . 2009-11-08 11:39 722392 ----a-w- c:\documents and settings\All Users\Application Data\1b12879\mozcrt19.dll
2009-12-10 04:19 . 2009-12-13 01:09 -------- d-sh--w- c:\documents and settings\All Users\Application Data\1b12879
2009-12-04 06:54 . 2009-12-04 06:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2009-12-04 06:54 . 2009-12-04 07:03 -------- d-----w- c:\documents and settings\Andy Nguyen\Application Data\Roxio
2009-12-04 03:35 . 2009-12-04 03:35 256 ----a-w- c:\documents and settings\Andy Nguyen\pool.bin
2009-12-04 03:22 . 2009-12-04 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 01:59 . 2009-04-28 22:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-19 01:09 . 2008-09-19 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-13 01:01 . 2009-04-29 02:46 117760 ----a-w- c:\documents and settings\Andy Nguyen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-13 01:00 . 2009-04-29 02:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-13 00:06 . 2008-10-20 06:28 256 ----a-w- c:\windows\system32\pool.bin
2009-12-10 06:55 . 2006-05-04 19:52 -------- d-----w- c:\program files\Trend Micro
2009-12-10 05:18 . 2009-12-10 05:49 180010 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-08 08:59 . 2006-05-16 03:46 -------- d-----w- c:\program files\Warcraft III
2009-12-08 07:12 . 2006-05-16 03:50 71530 ----a-w- c:\windows\War3Unin.dat
2009-12-07 23:42 . 2006-05-16 03:31 -------- d-----w- c:\documents and settings\Andy Nguyen\Application Data\AdobeUM
2009-12-04 07:03 . 2008-10-20 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-12-04 06:30 . 2006-05-04 19:39 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-04 06:29 . 2006-05-04 19:55 -------- d-----w- c:\program files\Roxio
2009-12-04 06:28 . 2006-05-04 19:39 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-04 03:25 . 2008-10-20 01:48 -------- d-----w- c:\program files\Research In Motion
2009-12-04 03:22 . 2008-10-20 01:48 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-19 20:37 . 2007-11-28 06:57 -------- d-----w- c:\program files\PokerStars
2009-11-11 08:28 . 2009-11-11 08:28 247280 ----a-w- c:\documents and settings\Andy Nguyen\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-10-29 07:46 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-22 11:24 . 2009-10-22 11:24 -------- d-----r- c:\documents and settings\Andy Nguyen\Application Data\Brother
2009-10-21 05:38 . 2005-08-16 09:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 09:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 09:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 09:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 09:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 09:49 . 2009-10-12 09:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2006-05-14 21:26 . 2006-05-14 21:25 5115704 ----a-w- c:\program files\Firefox Setup 1.5.0.3.exe
2009-11-19 11:58 . 2009-12-10 04:25 1253376 ----a-w- c:\program files\mozilla firefox\components\k-wbmWctS7-n-g.dll
2007-04-14 03:15 . 2006-06-12 01:02 88 --sh--r- c:\windows\system32\E5647CD50D.sys
2007-04-14 03:15 . 2006-06-12 01:02 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-13 2001648]
"Google Update"="c:\documents and settings\Andy Nguyen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-01-09 417792]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-03-03 1355938]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-03-10 35328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"SetDefPrt"="c:\program files\Brother\Brmfl05c\BrStDvPt.exe" [2005-01-27 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-12 995328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-4 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-21 07:22 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-14 06:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Andy Nguyen\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Documents and Settings\\Andy Nguyen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Andy Nguyen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2009 2:47 PM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/5/2008 6:47 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 1:49 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/5/2008 6:47 PM 297752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2009 2:46 PM 348752]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\k-wbmWctS7-n-g.dll
FF - plugin: c:\documents and settings\Andy Nguyen\Application Data\Mozilla\Firefox\Profiles\eantkkfp.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Andy Nguyen\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Andy Nguyen\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 16:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-12-19 16:45:27
ComboFix-quarantined-files.txt 2009-12-20 00:45
ComboFix2.txt 2009-12-19 02:09

Pre-Run: 15,759,077,376 bytes free
Post-Run: 15,761,584,128 bytes free

- - End Of File - - 3531771C39D81C01732510549048A8C4

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:32 PM

Posted 20 December 2009 - 08:34 AM

You're not doing anything wrong. It appears that you've multiple infections and every time we fix one there's still another.

Open Firefox and install the Mr Tech Toolkit extension from here.
https://addons.mozilla.org/en-US/firefox/addon/421

Once installed, restart Firefox as prompted.
Click Tools -> My Config -> Save - Text
Save the report to your desktop.
Please copy and paste the contents of that report.


==============



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 AndyAndy

AndyAndy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 20 December 2009 - 09:44 PM

Hi Sam,

here are the logs/reports requested...

i'm still getting the redirectionsand the "ad served by Primawega"

===========================================


Generated: Sun Dec 20 2009 16:56:13 GMT-0800 (Pacific Standard Time)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox[xSP_2:c979c055415a1a5c40b1927277c97e64_249] 79880603 (.NET CLR 3.5.30729)
Build ID: 20091201220228

Enabled Extensions: [5]
- AVG Safe Search 8.5.0.424: http://www.avg.com
- Internal security 1.0: http://www.google.com/search?q=Firefox%20Internal%20security
- Microsoft .NET Framework Assistant 1.1: http://www.windowsclient.net/
- Move Media Player 1.0.0.071303000006: http://www.movenetworks.com/
- MR Tech Toolkit 6.0.4: http://www.mrtech.com/extensions/

Installed Themes: [1]
- Default: http://www.mozilla.org/

Installed Plugins: (13)
- Adobe Acrobat
- DivX Content Upload Plugin
- DivX Web Player
- Google Talk Plugin
- Google Update
- iTunes Application Detector
- Java™ 2 Platform Standard Edition 5.0 Update 3
- Move Media Player
- Mozilla Default Plug-in
- QuickTime Plug-in 7.3
- RIM Handheld Application Loader
- Shockwave Flash
- Windows Presentation Foundation


=======================================

Malwarebytes' Anti-Malware 1.42
Database version: 3399
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/20/2009 6:32:21 PM
mbam-log-2009-12-20 (18-32-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 211988
Time elapsed: 1 hour(s), 27 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Andy Nguyen\Application Data\SystemProc\lsass.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1150\A0216441.exe (Trojan.Dropper) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users