Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects to random ad sites in IE


  • This topic is locked This topic is locked
8 replies to this topic

#1 raydopey

raydopey

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 26 January 2010 - 09:02 PM

Sometime today, I noticed that my google searches started redirecting me to some weird search engines full of ads or some ad sites. I also found that my system restore had been disabled. Basically, this is what I did :

1) Deleted cookies and temp internet files.
2) Ran prefetch and cleared the folder.
3) Ran %temp% and cleared the folder.
4) Ran Malwarebytes (which found some malware) and deleted the items.
5) Ran Hijackthis and analysed it on hijackthis.de - didn't show any discrepancies.
6) Used gpedit and enabled system restore - started the service.
7) Retried a google search - the issue still occurred.
8) Ran Trendmicro housecall which (found some malware as well) and deleted the infected files.
9) Retried the google search - no go.

"dds.txt"


DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 1:36:19.64 on 27/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.64 [GMT 0:00]

AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband\PCguard\rps.exe
C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Virgin Broadband Wireless\wpa_supplicant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title =
mWindow Title =
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [C-Media Mixer] Mixer.exe /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel\zyxel g-202 wireless adapter utility\ZyXEL G-202.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190640726234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5718/mcfscan.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2t32705l.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com?o=15153&l=dis
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\2t32705l.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\2t32705l.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\virgin broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214024]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-12-16 32512]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectDriver.sys [2008-11-14 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectFilter.sys [2008-11-14 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectShim.sys [2008-11-14 27376]
R3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2009-7-29 19072]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2009-7-29 437760]
S0 lgej;lgej;c:\windows\system32\drivers\maqajk.sys --> c:\windows\system32\drivers\maqajk.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-5 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-5 29208]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2009-7-29 20608]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-24 34248]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2008-1-17 299904]

=============== Created Last 30 ================

2010-01-26 19:02:07 28672 ----a-w- c:\windows\system32\tdlcmd.dll
2010-01-26 17:22:42 0 ----a-w- c:\windows\system32\8104297.jun
2010-01-26 17:22:38 0 d-----w- c:\program files\Browser Hijack Recover
2010-01-25 12:15:15 0 d-----w- c:\docume~1\user\applic~1\Office Genuine Advantage
2010-01-24 05:05:26 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-01-24 05:05:25 0 d-----w- c:\program files\McAfee Security Scan
2010-01-22 13:33:26 0 d-----w- c:\windows\pss
2010-01-21 12:14:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-01-21 12:14:25 0 d-----w- c:\program files\Security Task Manager
2010-01-18 21:16:36 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 16:45:34 3249 ----a-w- c:\windows\system32\wbem\Outlook_01ca9081ff50384e.mof
2009-12-30 09:09:03 34 ----a-w- C:\Autorun.inf

==================== Find3M ====================

2010-01-13 09:30:59 14276 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-13 09:30:59 141600 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-13 09:30:58 96092 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-13 09:30:58 7094560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-03 16:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 04:35:56 2822 ----a-w- c:\windows\system32\tmp.reg
2009-08-17 15:22:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081720090818\index.dat

============= FINISH: 1:39:02.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 raydopey

raydopey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 26 January 2010 - 09:19 PM

I also did a OTL custom scan (after seeing it on another forum) using

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT

----------------------------------------------------------------------------------------------------------------------------------------------

OTL logfile created on: 27/01/2010 02:10:34 - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

510.00 Mb Total Physical Memory | 150.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.28 Gb Total Space | 24.08 Gb Free Space | 62.91% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SYSTEM106
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/27 02:06:47 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010/01/27 01:40:20 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\User\Desktop\RootRepeal.exe
PRC - [2010/01/18 21:19:38 | 00,392,520 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Rps.exe
PRC - [2009/12/18 13:05:43 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/24 22:11:58 | 00,396,288 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
PRC - [2009/07/28 00:19:10 | 00,199,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/27 13:10:56 | 00,170,736 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
PRC - [2009/05/27 13:10:02 | 00,371,440 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe
PRC - [2009/05/27 12:20:32 | 00,308,464 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
PRC - [2009/05/27 12:20:30 | 02,303,216 | ---- | M] (Virgin Broadband) -- C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
PRC - [2009/04/03 14:51:32 | 00,143,360 | ---- | M] (Kaspersky Lab.) -- C:\Program Files\Virgin Broadband\PCguard\Kav\Bin\ScanningProcess.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/14 18:28:10 | 04,937,752 | R--- | M] (Sana Security) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe
PRC - [2008/09/22 16:58:44 | 00,693,512 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
PRC - [2008/05/26 16:20:50 | 00,585,728 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
PRC - [2008/05/26 16:14:56 | 00,143,360 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
PRC - [2008/05/26 16:09:24 | 01,100,288 | ---- | M] () -- C:\Program Files\Virgin Broadband Wireless\wpa_supplicant.exe
PRC - [2008/05/26 16:09:24 | 00,044,032 | ---- | M] () -- C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
PRC - [2008/05/26 16:07:16 | 00,086,016 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/11 04:44:32 | 01,228,800 | R--- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\WINDOWS\mixer.exe


========== Modules (SafeList) ==========

MOD - [2010/01/27 02:06:47 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/17 16:37:52 | 00,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/07/13 13:02:50 | 00,542,496 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/27 13:10:56 | 00,170,736 | ---- | M] (Virgin Media) [On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe -- (Radialpoint Security Services)
SRV - [2009/05/27 13:10:02 | 00,371,440 | ---- | M] (Virgin Media) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- (RP_FWS)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/14 18:28:10 | 04,937,752 | R--- | M] (Sana Security) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe -- (RadialpointSafeConnectAgent)
SRV - [2008/09/22 16:58:48 | 00,910,600 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008/09/22 16:58:44 | 00,693,512 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2008/05/26 16:14:56 | 00,143,360 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe -- (AffinegyService)
SRV - [2008/05/26 16:07:16 | 00,086,016 | ---- | M] (CACE Technologies) [Auto | Running] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2003/07/28 19:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/09/25 16:42:38 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2009/08/05 01:03:14 | 00,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2009/08/05 01:03:14 | 00,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2009/07/09 11:16:16 | 00,039,424 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/07/08 12:44:20 | 00,214,024 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/07/08 12:43:46 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/11/26 15:19:56 | 00,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2008/11/14 18:28:36 | 00,161,304 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys -- (RadialpointSafeConnectDriver)
DRV - [2008/11/14 18:28:36 | 00,029,720 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys -- (RadialpointSafeConnectFilter)
DRV - [2008/11/14 18:28:36 | 00,027,376 | ---- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys -- (RadialpointSafeConnectShim)
DRV - [2008/08/28 13:16:40 | 00,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008/08/06 21:20:08 | 00,048,384 | ---- | M] (Radialpoint, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rp_pkt32.sys -- (RPPKT) Radialpoint Filter (x86)
DRV - [2008/05/26 16:09:42 | 00,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2008/05/26 16:07:16 | 00,032,512 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2008/04/13 18:45:30 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 16:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/07/05 10:09:09 | 00,299,904 | R--- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MRVW225.sys -- (MRVW225)
DRV - [2007/04/03 12:05:48 | 00,019,072 | ---- | M] (ZDC., Inc. (ZDC)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\ZDCndis5.sys -- (ZDCNDIS5)
DRV - [2007/04/03 12:05:48 | 00,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - [2007/04/03 12:05:46 | 00,437,760 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WlanUZXP.SYS -- (ZY202_XP)
DRV - [2007/04/03 12:05:44 | 00,020,608 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BRGSp50.sys -- (BRGSp50)
DRV - [2005/12/21 02:16:34 | 00,470,048 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2004/08/12 13:26:42 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/11 04:44:32 | 00,370,382 | R--- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)
DRV - [2004/02/10 11:17:06 | 00,681,469 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2002/12/19 16:48:48 | 00,539,008 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/11/12 09:02:20 | 00,099,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1000325.sys -- (E1000) Intel®
DRV - [2002/04/01 12:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\S-1-5-21-1343024091-1275210071-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://uk.ask.com?o=15153&l=dis"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.60
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.45
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.11.2
FF - prefs.js..extensions.enabledItems: {E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}:1.3
FF - prefs.js..keyword.URL: ""
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/22 13:10:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/25 02:04:26 | 00,000,000 | ---D | M]

[2009/08/17 13:53:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/01/25 18:34:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions
[2010/01/23 05:12:47 | 00,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/01/23 05:08:31 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/01/23 05:08:32 | 00,000,000 | ---D | M] (Memory Fox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}
[2010/01/25 02:04:12 | 00,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/09/16 01:15:46 | 00,002,257 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\searchplugins\askcom.xml
[2010/01/26 17:12:10 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/19 14:48:43 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/12/19 14:48:44 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/12/19 14:48:45 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/12/19 14:48:46 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/11/26 04:35:35 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk = C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-202 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe (ZyXEL Communications Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-21-1343024091-1275210071-682003330-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1190640726234 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...718/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/24 11:36:24 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/12/30 09:09:03 | 00,000,034 | ---- | M] () - C:\Autorun.inf -- [ NTFS ]
O33 - MountPoints2\{07434b00-7e8e-11de-8631-0019cbf5a39f}\Shell - "" = AutoRun
O33 - MountPoints2\{07434b00-7e8e-11de-8631-0019cbf5a39f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/09/24 11:35:38 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (71216562131959808)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/27 02:06:40 | 00,548,352 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/01/27 01:40:13 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\User\Desktop\RootRepeal.exe
[2010/01/26 19:02:07 | 00,028,672 | ---- | C] (Pure Love ;)) -- C:\WINDOWS\System32\tdlcmd.dll
[2010/01/26 18:18:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\GooredFix Backups
[2010/01/26 17:22:38 | 00,000,000 | ---D | C] -- C:\Program Files\Browser Hijack Recover
[2010/01/25 12:15:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Office Genuine Advantage
[2010/01/25 02:04:19 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/01/24 05:05:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2010/01/24 05:05:25 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2010/01/24 04:51:18 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/01/22 13:33:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/01/22 13:01:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/01/22 03:00:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/01/21 12:14:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/01/21 12:14:25 | 00,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/01/18 21:16:36 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/12/24 03:18:11 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\NetworkService\Application Data\lowsec
[2009/10/26 16:42:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple
[2009/09/07 15:42:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/08/17 15:22:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/05 01:02:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/05 01:02:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/05 01:02:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[1996/11/17 23:00:00 | 00,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/27 02:06:47 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/01/27 01:40:22 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\User\Desktop\settings.dat
[2010/01/27 01:40:20 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\User\Desktop\RootRepeal.exe
[2010/01/27 01:36:16 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2010/01/27 01:33:01 | 00,000,972 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1275210071-682003330-1004UA.job
[2010/01/27 01:32:06 | 00,028,672 | ---- | M] (Pure Love ;)) -- C:\WINDOWS\System32\tdlcmd.dll
[2010/01/26 22:22:06 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/26 22:22:00 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/26 21:27:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/26 21:26:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/26 21:25:56 | 02,359,296 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT
[2010/01/26 21:25:56 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/01/26 20:33:01 | 00,000,920 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1275210071-682003330-1004Core.job
[2010/01/26 18:13:21 | 00,000,408 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/01/26 18:12:48 | 00,002,198 | RHS- | M] () -- C:\Documents and Settings\User\ntuser.pol
[2010/01/26 17:22:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\8104297.jun
[2010/01/25 16:42:11 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/24 05:05:25 | 00,000,715 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan.lnk
[2010/01/24 05:05:25 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
[2010/01/24 04:29:19 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/23 04:58:28 | 00,000,264 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/22 13:34:15 | 04,836,958 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010/01/22 13:34:07 | 00,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/22 13:34:07 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2010/01/13 09:30:59 | 00,141,600 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/01/13 09:30:59 | 00,014,276 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/01/13 09:30:58 | 07,094,560 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/01/13 09:30:58 | 00,096,092 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/01/08 16:45:34 | 00,509,574 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/08 16:45:34 | 00,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/08 16:45:34 | 00,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/07 15:01:36 | 00,387,584 | ---- | M] () -- C:\Documents and Settings\User\Desktop\VENUE AND SCHEDULE.doc
[2010/01/07 02:08:30 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/01/05 10:00:29 | 00,832,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2010/01/05 10:00:28 | 01,168,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2010/01/05 10:00:28 | 00,671,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mstime.dll
[2010/01/05 10:00:28 | 00,671,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstime.dll
[2010/01/05 10:00:28 | 00,233,472 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\webcheck.dll
[2010/01/05 10:00:28 | 00,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2010/01/05 10:00:28 | 00,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2010/01/05 10:00:28 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2010/01/05 10:00:28 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\pngfilt.dll
[2010/01/05 10:00:28 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pngfilt.dll
[2010/01/05 10:00:27 | 00,477,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtmled.dll
[2010/01/05 10:00:27 | 00,193,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msrating.dll
[2010/01/05 10:00:27 | 00,193,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msrating.dll
[2010/01/05 10:00:26 | 03,599,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2010/01/05 10:00:25 | 00,052,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2010/01/05 10:00:25 | 00,052,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2010/01/05 10:00:24 | 01,830,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2010/01/05 10:00:24 | 01,830,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2010/01/05 10:00:24 | 00,459,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2010/01/05 10:00:24 | 00,459,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2010/01/05 10:00:24 | 00,268,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2010/01/05 10:00:24 | 00,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2010/01/05 10:00:24 | 00,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2010/01/05 10:00:24 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iernonce.dll
[2010/01/05 10:00:24 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iernonce.dll
[2010/01/05 10:00:24 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2010/01/05 10:00:24 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2010/01/05 10:00:23 | 06,067,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2010/01/05 10:00:21 | 00,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2010/01/05 10:00:21 | 00,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2010/01/05 10:00:21 | 00,380,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieapfltr.dll
[2010/01/05 10:00:21 | 00,380,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dll
[2010/01/05 10:00:21 | 00,230,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieaksie.dll
[2010/01/05 10:00:21 | 00,230,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieaksie.dll
[2010/01/05 10:00:21 | 00,214,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dxtrans.dll
[2010/01/05 10:00:21 | 00,214,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dxtrans.dll
[2010/01/05 10:00:21 | 00,153,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieakeng.dll
[2010/01/05 10:00:21 | 00,153,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieakeng.dll
[2010/01/05 10:00:21 | 00,133,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\extmgr.dll
[2010/01/05 10:00:21 | 00,078,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2010/01/05 10:00:21 | 00,078,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll
[2010/01/05 10:00:21 | 00,063,488 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icardie.dll
[2010/01/05 10:00:20 | 00,347,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dxtmsft.dll
[2010/01/05 10:00:20 | 00,347,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dxtmsft.dll
[2010/01/05 10:00:20 | 00,124,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advpack.dll
[2010/01/05 10:00:20 | 00,124,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\advpack.dll
[2010/01/05 10:00:20 | 00,017,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\corpol.dll
[2010/01/05 10:00:20 | 00,017,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\corpol.dll
[2009/12/31 15:33:27 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[2009/12/31 15:33:06 | 00,070,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2009/12/31 15:33:06 | 00,070,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
[2009/12/31 15:33:06 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieudinit.exe
[2009/12/31 15:33:06 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[2009/12/30 09:09:03 | 00,000,034 | ---- | M] () -- C:\Autorun.inf
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/27 01:40:22 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\User\Desktop\settings.dat
[2010/01/27 01:36:10 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2010/01/26 18:13:21 | 00,000,408 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/01/26 17:22:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\8104297.jun
[2010/01/24 05:05:25 | 00,000,715 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan.lnk
[2010/01/24 05:05:25 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
[2010/01/22 03:00:19 | 00,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/07 15:01:34 | 00,387,584 | ---- | C] () -- C:\Documents and Settings\User\Desktop\VENUE AND SCHEDULE.doc
[2010/01/07 02:08:30 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2009/12/30 09:09:03 | 00,000,034 | ---- | C] () -- C:\Autorun.inf
[2009/12/08 16:41:26 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/17 22:53:36 | 00,000,027 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2009/11/15 20:49:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\tdlrm.dll
[2009/11/04 13:55:47 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/10/11 15:46:22 | 00,000,036 | ---- | C] () -- C:\WINDOWS\CMMPLAY.INI
[2009/10/10 16:33:25 | 00,000,101 | ---- | C] () -- C:\WINDOWS\CMMIXER.INI
[2009/10/10 16:32:19 | 00,000,029 | ---- | C] () -- C:\WINDOWS\CMMIPLAY.INI
[2009/10/10 16:17:20 | 00,000,043 | ---- | C] () -- C:\WINDOWS\CMAURACK.INI
[2009/10/10 16:13:09 | 00,004,346 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2009/10/10 16:12:58 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2009/09/30 17:07:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/08/15 01:48:29 | 00,000,246 | ---- | C] () -- C:\WINDOWS\System32\drivers\atmapi.sys
[2009/08/09 11:58:10 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/29 23:25:38 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2009/07/29 23:25:38 | 00,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2009/07/29 23:25:34 | 00,001,162 | ---- | C] () -- C:\WINDOWS\System32\W32N55.INI
[2008/10/14 16:09:12 | 00,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen_x86.sys
[2007/09/28 10:29:39 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/18 13:00:00 | 00,035,328 | -H-- | C] () -- C:\WINDOWS\System32\msls50.dll
[2003/01/07 23:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/12 13:29:28 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/08/17 13:48:14 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/08/17 13:48:14 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/12 13:29:28 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/08/17 13:48:14 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/08/17 13:48:14 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/12 13:17:27 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/12 13:19:04 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2004/08/12 13:36:15 | 00,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 18:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2004/08/12 13:24:31 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/12 13:27:47 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/01/05 10:00:20 | 00,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/01/05 10:00:21 | 00,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2008/04/14 00:12:00 | 01,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:11 AM

Posted 03 February 2010 - 08:58 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 raydopey

raydopey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 04 February 2010 - 09:16 PM

Dear Elize,

I am so pleased to hear from you. Here are the details you requested :

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-05 02:13:06
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\ugtiypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwClose [0xF89798B0]
SSDT \??\C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwOpenProcess [0xF89798E0]
SSDT \??\C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateProcess [0xF8979990]
SSDT \??\C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateThread [0xF8979A30]
SSDT \??\C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwWriteVirtualMemory [0xF8979AD0]

---- Kernel code sections - GMER 1.0.15 ----

? pbkpi.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF8611780]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!DialogBoxIndirectParamA 7E456D7D 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetQueryOptionA 3D9393C3 5 Bytes JMP 10001A20
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 100025F0
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 10002630
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 10002480
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 10002560
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 10001EB0
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetSetStatusCallback 3D957D7B 5 Bytes JMP 10001A80
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 10002030
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetReadFileExW 3D96334C 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetReadFileExW 3D96334C 5 Bytes JMP 10002350
.text C:\Program Files\Internet Explorer\iexplore.exe[137872] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 10002220
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!DialogBoxIndirectParamA 7E456D7D 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] WININET.dll!InternetQueryOptionA 3D9393C3 5 Bytes JMP 10001A20
.text C:\Program Files\Internet Explorer\iexplore.exe[281864] WININET.dll!InternetSetStatusCallback 3D957D7B 5 Bytes JMP 10001A80

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\Explorer.EXE [USER32.dll!EndDialog] 02A554E1
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\Explorer.EXE [USER32.dll!TranslateMessage] 02A55F49
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 02A559DA
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 02A558C5
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 02A55860
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 02A5582E
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 02A55C9F
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 02A55F49
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 02A554E1
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 02A55F49
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 02A554E1
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 02A554E1
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 02A55F49
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 02A55C9F
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 02A554E1
IAT C:\WINDOWS\Explorer.EXE[740] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 02A559DA
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00C359DA
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00C358C5
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00C35860
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00C3582E
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00C35C9F
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00C35F49
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00C359DA
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 00C354E1
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00C35F49
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00C35C9F
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 00C354E1
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00C35F49
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 00C354E1
IAT C:\WINDOWS\System32\alg.exe[796] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 00C354E1
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01DC59DA
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 01DC58C5
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 01DC5860
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01DC582E
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01DC59DA
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 01DC54E1
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 01DC5F49
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 01DC5C9F
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 01DC54E1
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 01DC5F49
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 01DC5C9F
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 01DC5F49
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 01DC54E1
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[804] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 01DC54E1
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00CD59DA
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00CD59DA
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00CD58C5
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00CD5860
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00CD582E
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 00CD54E1
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 00CD54E1
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00CD5F49
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00CD5C9F
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 00CD54E1
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00CD5F49
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 00CD54E1
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00CD59DA
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00CD5C9F
IAT C:\WINDOWS\system32\services.exe[1276] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00CD5F49
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 007A59DA
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 007A58C5
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 007A5860
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 007A582E
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 007A58C5
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 007A59DA
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 007A58C5
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 007A5860
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 007A5C9F
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 007A5F49
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 007A54E1
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 007A5F49
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 007A5C9F
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 007A54E1
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 007A5F49
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 007A54E1
IAT C:\WINDOWS\system32\lsass.exe[1288] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 007A54E1
IAT C:\WINDOWS\system32\svchost.exe[1500] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0299582E
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00D259DA
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00D258C5
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00D25860
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00D2582E
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00D25C9F
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00D25F49
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 00D254E1
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00D25F49
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00D25C9F
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 00D254E1
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00D25F49
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 00D254E1
IAT C:\WINDOWS\system32\svchost.exe[1576] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 00D254E1
IAT C:\WINDOWS\system32\svchost.exe[1576] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00D259DA
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 029D59DA
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 029D58C5
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 029D5860
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 029D582E
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 029D5C9F
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 029D5F49
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 029D54E1
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 029D5F49
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 029D5C9F
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 029D54E1
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 029D5F49
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 029D54E1
IAT C:\WINDOWS\System32\svchost.exe[1636] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 029D54E1
IAT C:\WINDOWS\System32\svchost.exe[1636] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 029D59DA
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00E559DA
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00E558C5
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00E55860
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00E5582E
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00E55C9F
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00E55F49
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 00E554E1
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00E55F49
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00E55C9F
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 00E554E1
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00E55F49
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 00E554E1
IAT C:\WINDOWS\system32\svchost.exe[1896] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 00E554E1
IAT C:\WINDOWS\system32\svchost.exe[1896] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00E559DA
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 007B59DA
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 007B58C5
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 007B5860
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 007B582E
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 007B5C9F
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 007B5F49
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 007B54E1
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 007B5F49
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 007B5C9F
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 007B54E1
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 007B5F49
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 007B54E1
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 007B54E1
IAT C:\WINDOWS\System32\svchost.exe[3512] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 007B59DA
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 078F59DA
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 078F58C5
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 078F5860
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 078F582E
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 078F54E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 078F5F49
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 078F54E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 078F5F49
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 078F5C9F
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 078F5C9F
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 078F5F49
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 078F54E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 078F54E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[137872] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 078F59DA
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001359DA
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 001358C5
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135860
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0013582E
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00135C9F
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135F49
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 001354E1
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135F49
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 001354E1
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135F49
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00135C9F
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 001354E1
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001359DA
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe[245820] @ C:\WINDOWS\system32\userenv.dll [USER32.dll!EndDialog] 001354E1
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004059DA
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 004058C5
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00405860
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0040582E
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 004054E1
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405F49
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 004054E1
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405F49
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00405C9F
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00405C9F
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405F49
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 004054E1
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 004054E1
IAT C:\WINDOWS\system32\notepad.exe[281008] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004059DA
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001459DA
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 001458C5
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00145860
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0014582E
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00145F49
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00145F49
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00145C9F
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00145C9F
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00145F49
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Program Files\Internet Explorer\iexplore.exe[281864] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001459DA
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001459DA
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 001458C5
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00145860
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0014582E
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00145F49
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00145C9F
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00145F49
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00145C9F
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00145F49
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!EndDialog] 001454E1
IAT C:\Documents and Settings\User\Desktop\gmer.exe[284264] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001459DA

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )
AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F8604B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [F8604B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F8604B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F8604B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 6800
Process hidden process (*** hidden *** ) 18864
Process hidden process (*** hidden *** ) 19660
Process hidden process (*** hidden *** ) 19720
Process hidden process (*** hidden *** ) 22120
Process hidden process (*** hidden *** ) 49212

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Usage@HandWritingFiles 1011159171

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\NC3CW52G\113[1] 0 bytes
File C:\WINDOWS\system32\lowsec 0 bytes
File C:\WINDOWS\system32\lowsec\local.ds 98951 bytes
File C:\WINDOWS\system32\lowsec\user.ds 0 bytes
File C:\WINDOWS\system32\sdra64.exe 114688 bytes executable
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----






DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 1:36:19.64 on 27/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.64 [GMT 0:00]

AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband\PCguard\rps.exe
C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Virgin Broadband Wireless\wpa_supplicant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title =
mWindow Title =
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [C-Media Mixer] Mixer.exe /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel\zyxel g-202 wireless adapter utility\ZyXEL G-202.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190640726234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5718/mcfscan.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2t32705l.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com?o=15153&l=dis
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\2t32705l.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\2t32705l.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\virgin broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214024]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-12-16 32512]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectDriver.sys [2008-11-14 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectFilter.sys [2008-11-14 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectShim.sys [2008-11-14 27376]
R3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2009-7-29 19072]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2009-7-29 437760]
S0 lgej;lgej;c:\windows\system32\drivers\maqajk.sys --> c:\windows\system32\drivers\maqajk.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-5 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-5 29208]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2009-7-29 20608]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-24 34248]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2008-1-17 299904]

=============== Created Last 30 ================

2010-01-26 19:02:07 28672 ----a-w- c:\windows\system32\tdlcmd.dll
2010-01-26 17:22:42 0 ----a-w- c:\windows\system32\8104297.jun
2010-01-26 17:22:38 0 d-----w- c:\program files\Browser Hijack Recover
2010-01-25 12:15:15 0 d-----w- c:\docume~1\user\applic~1\Office Genuine Advantage
2010-01-24 05:05:26 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-01-24 05:05:25 0 d-----w- c:\program files\McAfee Security Scan
2010-01-22 13:33:26 0 d-----w- c:\windows\pss
2010-01-21 12:14:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-01-21 12:14:25 0 d-----w- c:\program files\Security Task Manager
2010-01-18 21:16:36 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 16:45:34 3249 ----a-w- c:\windows\system32\wbem\Outlook_01ca9081ff50384e.mof
2009-12-30 09:09:03 34 ----a-w- C:\Autorun.inf

==================== Find3M ====================

2010-01-13 09:30:59 14276 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-13 09:30:59 141600 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-13 09:30:58 96092 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-13 09:30:58 7094560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-03 16:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 04:35:56 2822 ----a-w- c:\windows\system32\tmp.reg
2009-08-17 15:22:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081720090818\index.dat

============= FINISH: 1:39:02.54 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 24/09/2007 12:39:37
System Uptime: 26/01/2010 21:26:30 (4 hours ago)

Motherboard: Dell Computer Corp. | | 00T606
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2656/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 24.081 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 26/01/2010 18:15:33 - System Checkpoint
RP2: 26/01/2010 18:16:17 - IE Hijack

==== Installed Programs ======================

AAC Decoder
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
Apple Mobile Device Support
Apple Software Update
µTorrent
Audacity 1.2.6
AutoUpdate
Bonjour
CDisplay 1.8
Dell Driver Download Manager
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Google Talk Plugin
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
InterActual Player
iTunes
Java DB 10.3.1.4
Java™ 6 Update 3
Java™ 6 Update 6
Java™ SE Development Kit 6 Update 6
Malwarebytes' Anti-Malware
McAfee Security Scan
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Mozilla Firefox (3.5.7)
MSVCRT
Nero Suite
OGA Notifier 2.0.0048.0
PCI Audio Applications
PCI Audio Driver
PerfectDisk 2008
PowerDVD
QuickTime
Rome - Total War - Gold Edition
RPS Burn
RPS CRT
RPS Diagnostic Utility
RPS Firewall
RPS Ksdk
RPS ParentalControl
RPS PerfectDiskStub
RPS PopupBlocker
RPS RpsCore
RPS SafeConnect
Security Task Manager 1.7h
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Skype™ 4.1
SoundMAX
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Virgin Broadband advisor 1.5.24
Virgin Broadband PCguard
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
Wireless Manager
Yahoo! Messenger
ZIP Reader 8.00.0018
ZyXEL G-202 Wireless Adapter Utility

==== Event Viewer Messages From Past Week ========

27/01/2010 01:36:56, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the rpcapd service.
26/01/2010 21:27:39, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
26/01/2010 21:27:05, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
24/01/2010 04:56:06, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 3 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 3 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 3 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 3 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 3 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 3 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7034] - The Automatic Updates service terminated unexpectedly. It has done this 3 time(s).
24/01/2010 04:56:06, error: Service Control Manager [7031] - The Windows Time service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/01/2010 04:56:06, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/01/2010 04:56:06, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/01/2010 04:56:06, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/01/2010 04:56:06, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
24/01/2010 04:56:06, error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/01/2010 13:36:12, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service Radialpoint Security Services with arguments "" in order to run the server: {9997FB0D-4EE6-48EB-8BFE-C278C03C1345}
22/01/2010 13:36:02, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
22/01/2010 13:36:02, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service Radialpoint Security Services with arguments "" in order to run the server: {A4D89771-BC68-40C5-BD85-114A924569AE}
22/01/2010 13:36:02, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service PD91Engine with arguments "-Service" in order to run the server: {00772927-3E20-4854-9D99-77DEA78FE9E5}
22/01/2010 13:05:15, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
22/01/2010 01:19:19, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/01/2010 01:19:15, error: Service Control Manager [7034] - The Virgin Broadband PCguard SafeConnectAgent service terminated unexpectedly. It has done this 1 time(s).
22/01/2010 01:19:15, error: Service Control Manager [7034] - The AffinegyService service terminated unexpectedly. It has done this 1 time(s).
21/01/2010 00:53:43, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 000001a3, parameter3 ef8a4b98, parameter4 00000000.
20/01/2010 23:25:45, error: PSched [14103] - QoS [Adapter {5FC2277E-56AE-4028-8AA4-67F4EEB091B9}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
20/01/2010 00:36:45, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:11 AM

Posted 05 February 2010 - 08:30 AM

Hello raydopey,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 raydopey

raydopey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 07 February 2010 - 10:48 AM

Dear Elize,

Thank you so much for your timely help. I have uninstalled utorrent as per your request and ran combofix as directed. The report is as follows :

ComboFix 10-02-06.01 - User 07/02/2010 1:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.291 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\atmapi.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tdlcmd.dll
c:\windows\system32\tdlrm.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-01-26 17:22 . 2010-01-26 17:29 -------- d-----w- c:\program files\Browser Hijack Recover
2010-01-25 12:15 . 2010-01-25 12:15 -------- d-----w- c:\documents and settings\User\Application Data\Office Genuine Advantage
2010-01-25 02:04 . 2010-01-25 02:04 -------- d-----w- c:\program files\NOS
2010-01-25 02:04 . 2009-12-17 16:37 31936 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-25 02:04 . 2009-12-17 16:37 29344 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-24 05:05 . 2010-01-24 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-24 05:05 . 2010-01-24 05:05 -------- d-----w- c:\program files\McAfee Security Scan
2010-01-24 04:51 . 2010-01-24 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-23 05:08 . 2009-12-24 19:55 606208 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
2010-01-23 05:08 . 2009-06-02 16:24 67072 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\npAFOM.dll
2010-01-22 13:01 . 2010-01-22 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-21 12:14 . 2009-02-09 12:10 617472 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
2010-01-18 21:16 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 01:57 . 2009-12-16 11:26 -------- d-----w- c:\documents and settings\User\Application Data\Affinegy
2010-01-26 02:02 . 2009-09-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-26 02:00 . 2009-10-12 14:18 -------- d-----r- c:\program files\Skype
2010-01-21 12:17 . 2010-01-21 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-01-13 09:30 . 2009-11-14 17:13 14276 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-13 09:30 . 2009-11-14 17:13 141600 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-13 09:30 . 2009-11-14 17:13 96092 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-13 09:30 . 2009-11-14 17:13 7094560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-05 10:00 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-12 13:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-12 13:18 17408 ------w- c:\windows\system32\corpol.dll
2009-12-24 03:34 . 2009-12-24 03:34 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-12-24 03:34 . 2009-12-24 03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 03:33 . 2009-12-24 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-24 03:18 . 2009-12-23 15:48 -------- d-sh--w- c:\documents and settings\NetworkService\Application Data\lowsec
2009-12-16 11:25 . 2009-11-04 14:15 -------- d-----w- c:\program files\Virgin Broadband Wireless
2009-12-16 11:24 . 2009-12-16 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy
2009-12-04 10:03 . 2009-12-04 10:03 251376 ----a-w- c:\documents and settings\User\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-03 16:14 . 2009-12-24 03:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-12-24 03:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51 . 2004-08-12 13:17 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2004-08-11 1228800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
ZyXEL G-202 Wireless Adapter Utility.lnk - c:\program files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2009-7-29 10891264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-03 19:23 133104 ----atw- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 13:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-26 20:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_06\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\ZyXEL\\ZyXEL G-202 Wireless Adapter Utility\\ZyXEL G-202.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 16:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 18:28 4937752]
R3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 13:10 170736]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 18:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 18:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 18:28 27376]
R3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [29/07/2009 23:25 19072]
S0 lgej;lgej;c:\windows\system32\drivers\maqajk.sys --> c:\windows\system32\drivers\maqajk.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [05/08/2009 01:03 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [05/08/2009 01:03 29208]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [29/07/2009 23:25 20608]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [17/01/2008 16:24 299904]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 16:58 910600]
S3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [29/07/2009 23:25 437760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1275210071-682003330-1004Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-03 19:23]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1275210071-682003330-1004UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-03 19:23]

2010-02-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
mWindow Title =
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com?o=15153&l=dis
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\npAFOM.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2t32705l.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 14:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x82F72F61]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8732f28
\Driver\ACPI -> ACPI.sys @ 0xf86a5cb8
\Driver\atapi -> atapi.sys @ 0xf863ab3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8543bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8532a0d
SendHandler -> NDIS.sys @ 0xf8546b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband\PCguard\Fws.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe
c:\windows\Mixer.exe
c:\program files\McAfee Security Scan\1.0.150\McUICnt.exe
.
**************************************************************************
.
Completion time: 2010-02-07 14:56:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-07 14:56

Pre-Run: 25,527,676,928 bytes free
Post-Run: 25,599,954,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7DE0C74FF0E09EEF2EAEB13B7515927E


Thank you again and have a great day.

Kind Regards,

Ray

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:11 AM

Posted 07 February 2010 - 12:06 PM

Hello raydopey,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Driver::
lgej

File::
c:\windows\system32\drivers\maqajk.sys

FCopy::
c:\windows\servicepackfiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


After finishing these steps, please verify if your browser is still getting redirected.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:11 AM

Posted 12 February 2010 - 02:48 PM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:11 AM

Posted 19 February 2010 - 10:40 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users