Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google re-direct


  • This topic is locked This topic is locked
20 replies to this topic

#1 christians_sin

christians_sin

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 30 January 2010 - 06:14 PM

I have seemed to pick up that lovely Google re-direct bug.
Here are the logs


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/9/2009 2:05:57 PM
System Uptime: 1/30/2010 1:22:19 PM (3 hours ago)

Motherboard: Gateway | |
Processor: Genuine Intel® CPU T2250 @ 1.73GHz | uFCPGA2 | 1729/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 90.796 GiB free.



Thanks in advance for any help!
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_27A2&SUBSYS_0366107B&REV_03\3&B1BFB68&1&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_27A2&SUBSYS_0366107B&REV_03\3&B1BFB68&1&10
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_27A6&SUBSYS_0366107B&REV_03\3&B1BFB68&1&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_27A6&SUBSYS_0366107B&REV_03\3&B1BFB68&1&11
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4352&SUBSYS_0366107B&REV_14\4&9EE4DCE&0&00E0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4352&SUBSYS_0366107B&REV_14\4&9EE4DCE&0&00E0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10008086&REV_02\4&115ADF0F&0&00E1
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10008086&REV_02\4&115ADF0F&0&00E1
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_0366107B&REV_00\4&88B0A16&0&4AF0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_0366107B&REV_00\4&88B0A16&0&4AF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_0366107B&REV_02\3&B1BFB68&1&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_0366107B&REV_02\3&B1BFB68&1&FB
Service:

==== System Restore Points ===================

RP25: 1/8/2010 8:31:18 PM - System Checkpoint
RP26: 1/9/2010 5:36:58 PM - Installed NETGEAR WNDA3100v2 wireless USB 2.0 adapter
RP27: 1/9/2010 4:26:22 PM - Installed Windows XP KB888111WXPSP2.
RP28: 1/9/2010 4:26:51 PM - Installed SigmaTel Audio
RP29: 1/9/2010 4:49:00 PM - Software Distribution Service 3.0
RP30: 1/9/2010 4:50:51 PM - Installed MSN Toolbar
RP31: 1/9/2010 4:51:11 PM - Installed Windows Internet Explorer 8.
RP32: 1/9/2010 4:51:31 PM - Software Distribution Service 3.0
RP33: 1/9/2010 7:02:24 PM - Software Distribution Service 3.0
RP34: 1/9/2010 7:48:12 PM - Removed MSN Toolbar
RP35: 1/9/2010 7:51:59 PM - Software Distribution Service 3.0
RP36: 1/9/2010 8:28:05 PM - Installed iTunes
RP37: 1/9/2010 9:04:45 PM - Software Distribution Service 3.0
RP38: 1/9/2010 9:30:07 PM - Software Distribution Service 3.0
RP39: 1/9/2010 9:31:57 PM - Installed Zune 4.0
RP40: 1/9/2010 10:53:11 PM - Installed Paint Shop Pro 7
RP41: 1/9/2010 10:54:27 PM -
RP42: 1/9/2010 11:04:51 PM - Software Distribution Service 3.0
RP43: 1/10/2010 9:06:24 AM - Installed Windows XP Wudf01009.
RP44: 1/10/2010 9:06:56 AM - Installed Windows XP winusb0100.
RP45: 1/10/2010 5:34:13 PM - Installed VideoCamSuite
RP46: 1/10/2010 6:22:57 PM - Installed BlackBerry Desktop Software 4.6.
RP47: 1/10/2010 6:28:31 PM - Installed Roxio Media Manager
RP48: 1/10/2010 6:54:15 PM - Installed Java™ 6 Update 17
RP49: 1/10/2010 8:18:49 PM - Software Distribution Service 3.0
RP50: 1/11/2010 8:57:15 PM - Installed CoffeeCup Direct FTP
RP51: 1/11/2010 9:59:45 PM - Software Distribution Service 3.0
RP52: 1/13/2010 5:48:39 PM - Software Distribution Service 3.0
RP53: 1/13/2010 5:58:15 PM -
RP54: 1/13/2010 7:36:10 PM - Installed Windows XP -- Software Updates KB952011.
RP55: 1/16/2010 2:23:13 AM - Software Distribution Service 3.0
RP56: 1/16/2010 2:36:56 AM - Software Distribution Service 3.0
RP57: 1/16/2010 2:51:00 AM - Software Distribution Service 3.0
RP58: 1/16/2010 4:40:46 AM - Installed Jasc Paint Shop Pro 9
RP59: 1/16/2010 4:58:16 AM - Removed Jasc Paint Shop Pro 9
RP60: 1/18/2010 3:49:01 PM - Installed Corel Paint Shop Pro Photo X2.
RP61: 1/18/2010 11:10:40 PM - Software Distribution Service 3.0
RP62: 1/19/2010 9:06:44 PM - Installed Canon Camera WIA Driver
RP63: 1/20/2010 9:32:40 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP64: 1/22/2010 12:09:06 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP65: 1/22/2010 1:27:42 PM - Software Distribution Service 3.0
RP66: 1/24/2010 10:51:24 AM - System Checkpoint
RP67: 1/26/2010 12:35:33 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 4.6
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.4
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CoffeeCup Direct FTP
Corel Paint Shop Pro Photo X2
eMusic Download Manager 4.1.4
getPlus® Download Manager for Corel
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
iTunes
Java™ 6 Update 17
LimeWire 5.4.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Microsoft Word 97
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NETGEAR WNDA3100v2 wireless USB 2.0 adapter
Norton 360 Premier Edition
Paint Shop Pro 7
QuickTime
Roxio Media Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SigmaTel Audio
Sonic Encoders
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoCam Suite
VideoCam Suite 1.0
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows XP Media Center Edition 2005 KB914548
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

==== Event Viewer Messages From Past Week ========

1/26/2010 9:56:09 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
1/26/2010 9:52:39 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
1/26/2010 7:15:27 PM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0024B2F6624F has been denied by the DHCP server 10.105.88.1 (The DHCP Server sent a DHCPNACK message).
1/26/2010 11:50:43 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
1/26/2010 11:50:43 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
1/26/2010 10:26:30 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer DORIS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{9110667A-CB20-4984-925. The master browser is stopping or an election is being forced.
1/24/2010 8:13:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
1/24/2010 8:13:00 AM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/24/2010 8:12:59 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
1/24/2010 8:10:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.

==== End Of File ===========================




DDS (Ver_09-12-01.01) - NTFSx86
Run by Chan at 16:51:29.98 on Sat 01/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.905 [GMT -6:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\MediaCataloger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chan\Local Settings\Temporary Internet Files\Content.IE5\U1OPA9KJ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\3.5.2.11\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\3.5.2.11\coIEPlg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [<NO NAME>]
mRun: [Jgovixejower] rundll32.exe "c:\windows\aroyokuyepebeham.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360 premier edition\engine\3.5.2.11\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli mqgrfg.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-20 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2010-1-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2010-1-9 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2010-1-9 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100128.002\IDSXpx86.sys [2010-1-30 329592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\3.5.2.11\ccSvcHst.exe [2010-1-9 117640]
R2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2010-1-9 278528]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2010-1-9 632576]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-8 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100130.008\NAVENG.SYS [2010-1-30 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100130.008\NAVEX15.SYS [2010-1-30 1323568]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2010-1-9 34064]

=============== Created Last 30 ================

2010-01-30 22:02:38 0 d-----w- c:\program files\Trend Micro
2010-01-30 19:33:24 51720 ----a-w- c:\program files\SafeStart.exe
2010-01-27 05:28:44 0 d-----w- c:\docume~1\chan\applic~1\eMusic
2010-01-27 05:28:36 0 d-----w- c:\program files\eMusic Download Manager
2010-01-22 17:36:15 488 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-21 03:44:12 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-21 03:40:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-21 03:40:04 0 d-----w- c:\program files\Lavasoft
2010-01-21 03:33:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-01-21 03:32:49 0 d-----w- c:\program files\common files\iS3
2010-01-21 03:32:48 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-01-20 14:02:05 0 d-----w- c:\docume~1\chan\applic~1\ZoomBrowser EX
2010-01-20 03:12:21 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-20 03:12:21 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-20 03:12:21 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-20 03:12:20 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-20 03:05:39 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2010-01-20 03:04:25 0 d-----w- c:\program files\Canon
2010-01-20 03:02:29 0 d-----w- c:\program files\common files\Canon
2010-01-19 04:49:01 0 d-----w- c:\docume~1\chan\applic~1\Uniblue
2010-01-19 04:30:19 0 d-----w- c:\windows\pss
2010-01-19 02:19:42 0 d-----w- c:\windows\system32\N360_BACKUP
2010-01-18 21:55:48 88 --sh--r- c:\docume~1\alluse~1\applic~1\0C54823919.sys
2010-01-18 21:55:48 2516 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-18 21:50:26 0 d-----w- c:\program files\common files\Protexis
2010-01-18 21:50:26 0 d-----w- c:\program files\common files\Corel
2010-01-18 21:50:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Corel
2010-01-18 21:44:53 0 d-----w- c:\program files\Corel
2010-01-18 21:30:23 867 ----a-w- c:\documents and settings\chan\.recently-used.xbel
2010-01-18 21:30:20 0 d-----w- c:\documents and settings\chan\.thumbnails
2010-01-18 21:28:02 0 d-----w- c:\documents and settings\chan\.gimp-2.6
2010-01-18 20:41:23 120 ----a-w- c:\windows\Ctuwihuvuwox.dat
2010-01-18 20:41:23 0 ----a-w- c:\windows\Oqopupukaleg.bin
2010-01-18 20:37:41 44032 ----a-w- c:\windows\npwu72278.exe
2010-01-18 20:31:05 0 d-----w- C:\sysmon
2010-01-16 10:38:57 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-16 09:03:37 0 d-----w- c:\windows\system32\scripting
2010-01-16 09:03:36 0 d-----w- c:\windows\system32\en
2010-01-16 09:03:36 0 d-----w- c:\windows\l2schemas
2010-01-16 09:03:35 0 d-----w- c:\windows\system32\bits
2010-01-16 08:57:24 0 d-----w- c:\windows\network diagnostic
2010-01-16 08:51:47 0 d-----w- c:\docume~1\chan\applic~1\CoreFTP
2010-01-14 00:24:20 35262 ----a-w- c:\windows\Chan.acl
2010-01-13 23:53:23 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 03:59:50 0 d-----w- c:\program files\MSXML 4.0
2010-01-12 02:57:16 913560 ----a-w- c:\windows\system32\wodFtpDLX.ocx
2010-01-12 02:57:16 319488 ----a-w- c:\windows\system32\PolarZIPLight.dll
2010-01-11 00:55:29 256 ----a-w- c:\windows\system32\pool.bin
2010-01-11 00:55:26 0 d-----w- c:\docume~1\chan\applic~1\Research In Motion
2010-01-11 00:28:59 0 d-----w- c:\program files\common files\Sonic Shared
2010-01-11 00:28:58 0 d-----w- c:\program files\Roxio
2010-01-11 00:24:08 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-01-11 00:23:20 0 d-----w- c:\program files\common files\Research In Motion
2010-01-11 00:23:11 0 d-----w- c:\program files\Research In Motion
2010-01-11 00:18:45 0 d-sh--w- c:\windows\ftpcache
2010-01-10 23:38:59 0 d-----w- C:\MC_TMP
2010-01-10 23:35:16 33408 ----a-w- c:\windows\system32\drivers\cdrbsdrv.sys
2010-01-10 23:35:15 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2010-01-10 23:35:15 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2010-01-10 23:35:07 36864 ----a-w- c:\windows\system32\sddevmgr.dll
2010-01-10 23:07:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-01-10 23:05:07 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-01-10 16:07:51 0 d-----w- c:\docume~1\chan\applic~1\LimeWire
2010-01-10 16:06:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-10 16:06:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-10 16:05:58 0 d-----w- c:\program files\LimeWire
2010-01-10 15:07:00 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-01-10 15:07:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-01-10 15:06:35 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-01-10 05:00:51 4413 ---ha-w- C:\ffastun.ffa
2010-01-10 05:00:51 1544192 ---ha-w- C:\ffastun0.ffx
2010-01-10 05:00:51 147456 ---ha-w- C:\ffastun.ffo
2010-01-10 04:57:33 409600 ---ha-w- C:\ffastun.ffl
2010-01-10 04:53:18 0 d-----w- c:\program files\Jasc Software Inc
2010-01-10 03:32:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-01-10 03:32:31 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-01-10 03:32:29 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-01-10 03:31:42 922112 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-01-10 03:31:42 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-01-10 03:31:42 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-01-10 03:31:42 426496 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-01-10 03:31:42 426496 ------w- c:\windows\system32\imapi2.dll
2010-01-10 03:09:34 0 d-----w- c:\windows\system32\XPSViewer
2010-01-10 03:09:03 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-10 03:09:03 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-10 03:09:03 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-10 03:09:03 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-10 03:09:03 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-10 03:09:03 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-10 03:09:03 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-10 03:09:02 0 d-----w- C:\e09335edcf29482c04
2010-01-10 03:05:59 0 d-----w- c:\program files\MSXML 6.0
2010-01-10 03:05:04 0 d-----w- C:\56fd00982500ce1f6b522b34a5ae1d
2010-01-10 02:28:13 0 d-----w- c:\program files\iPod
2010-01-10 02:28:10 0 d-----w- c:\program files\iTunes
2010-01-10 02:28:10 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-10 02:27:50 0 d-----w- c:\program files\Bonjour
2010-01-10 01:54:15 0 d-----w- c:\windows\ServicePackFiles
2010-01-10 01:48:18 0 d-----w- c:\windows\system32\appmgmt
2010-01-10 01:45:15 352 ----a-w- c:\windows\system32\xpysys.dll
2010-01-10 01:38:27 0 d-----w- c:\docume~1\chan\applic~1\CoffeeCup Software
2010-01-10 01:37:38 233472 ----a-w- c:\windows\system32\Ilda32.dll
2010-01-10 01:37:38 18944 ----a-w- c:\windows\system32\BORLNDMM.DLL
2010-01-10 01:37:36 0 d-----w- c:\program files\CoffeeCup Software
2010-01-10 01:08:02 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-10 01:08:02 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-10 01:06:59 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-10 01:06:58 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-10 01:06:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-10 01:06:05 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-01-10 01:05:20 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-10 01:05:19 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-10 01:05:17 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-10 01:05:15 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-10 01:05:12 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-10 01:05:06 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-10 01:04:17 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-01-10 01:04:02 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-10 01:03:59 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-01-10 01:03:43 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-10 01:03:43 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-01-10 01:03:42 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-10 01:02:33 0 d-----w- c:\windows\system32\PreInstall
2010-01-10 00:53:43 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-10 00:53:43 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-01-10 00:53:35 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-01-10 00:53:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-10 00:53:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-10 00:53:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-10 00:53:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-10 00:53:33 0 d-----w- c:\program files\Symantec
2010-01-10 00:53:33 0 d-----w- c:\program files\common files\Symantec Shared
2010-01-10 00:53:10 0 d-----w- c:\windows\system32\drivers\N360
2010-01-10 00:53:07 0 d-----w- c:\program files\Norton 360 Premier Edition
2010-01-09 23:47:08 0 d-----w- c:\windows\system32\LogFiles
2010-01-09 23:37:00 88696 ----a-w- c:\windows\system32\Packet.dll
2010-01-09 23:37:00 721920 ----a-w- c:\windows\system32\lsase4c0.rra
2010-01-09 23:37:00 68224 ----a-w- c:\windows\system32\WanPacket.dll
2010-01-09 23:37:00 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-01-09 23:37:00 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-01-09 23:37:00 499712 ----a-w- c:\windows\system32\msvcp71.DLL
2010-01-09 23:37:00 348160 ----a-w- c:\windows\system32\msvcr71.DLL
2010-01-09 23:37:00 34064 ----a-w- c:\windows\system32\drivers\npf.sys
2010-01-09 23:37:00 240248 ----a-w- c:\windows\system32\wpcap.dll
2010-01-09 23:37:00 196608 ----a-w- c:\windows\system32\wps_api.dll
2010-01-09 23:36:59 89088 ----a-w- c:\windows\system32\ATL71.DLL
2010-01-09 23:36:59 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-01-09 23:36:58 0 d-----w- c:\program files\NETGEAR
2010-01-09 23:05:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-01-09 23:05:31 0 d-----w- c:\program files\NortonInstaller
2010-01-09 23:05:31 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-01-09 23:04:23 0 d-----w- c:\documents and settings\all users\Symantec Temporary Files
2010-01-09 22:56:15 0 d-sh--w- c:\documents and settings\chan\PrivacIE
2010-01-09 22:53:09 0 d-sh--w- c:\documents and settings\chan\IETldCache
2010-01-09 22:51:33 0 d-----w- c:\windows\ie8updates
2010-01-09 22:50:59 0 dc-h--w- c:\windows\ie8
2010-01-09 22:50:33 0 d--h--w- c:\windows\msdownld.tmp
2010-01-09 22:48:44 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-09 22:48:44 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-09 22:48:43 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-09 22:48:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-09 22:48:42 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-09 22:48:40 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-09 22:48:28 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-09 22:27:03 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-01-09 22:27:02 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-01-09 22:27:01 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-01-09 22:26:15 0 d-----w- c:\program files\SigmaTel
2010-01-09 22:25:18 0 d-----w- C:\cabs
2010-01-09 21:45:34 0 d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-01-24 16:46:49 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-14 01:48:36 62588 ----a-w- c:\windows\fonts\WHACUWI_.ttf
2010-01-14 01:48:36 61928 ----a-w- c:\windows\fonts\WHACUI__.ttf
2010-01-14 01:48:36 60916 ----a-w- c:\windows\fonts\WHACKAD_.ttf
2010-01-14 01:48:36 59408 ----a-w- c:\windows\fonts\WHACUW__.ttf
2010-01-14 01:48:36 58472 ----a-w- c:\windows\fonts\WHACU___.ttf
2010-01-14 01:48:28 32164 ----a-w- c:\windows\fonts\SWATRG__.TTF
2010-01-14 01:48:23 67836 ----a-w- c:\windows\fonts\opalo.ttf
2010-01-14 01:48:23 18660 ----a-w- c:\windows\fonts\opalo.otf
2010-01-14 01:48:16 21300 ----a-w- c:\windows\fonts\mulan.ttf
2010-01-14 01:47:47 70232 ----a-w- c:\windows\fonts\exmouth_.ttf
2010-01-14 01:47:41 32036 ----a-w- c:\windows\fonts\bubble_sharp.ttf
2010-01-14 01:47:36 23512 ----a-w- c:\windows\fonts\Aerofoil.ttf
2010-01-14 01:47:28 19916 ----a-w- c:\windows\fonts\ThreSixt_2.ttf
2010-01-14 01:47:28 19792 ----a-w- c:\windows\fonts\ThreSxCd.ttf
2010-01-14 01:47:23 82072 ----a-w- c:\windows\fonts\SCRIPTIN.ttf
2010-01-14 01:47:23 11652 ----a-w- c:\windows\fonts\SCRIPALT.ttf
2010-01-14 01:47:17 57996 ----a-w- c:\windows\fonts\ROMANTIC.TTF
2010-01-14 01:47:09 2004268 ----a-w- c:\windows\fonts\ANUNEDW_.TTF
2010-01-14 01:47:09 1792784 ----a-w- c:\windows\fonts\ANUNE___.TTF
2010-01-14 01:47:02 55637 ----a-w- c:\windows\fonts\Gabriele.PFB
2010-01-14 01:46:44 148896 ----a-w- c:\windows\fonts\Bleeding_Cowboys.ttf
2010-01-14 01:46:36 43699 ----a-w- c:\windows\fonts\MLSJN.TTF
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 16:52:47.46 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/30 16:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xADB58000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB95A000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xBA558000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\chan\local settings\temp\bcg12.tmp
Status: Allocation size mismatch (API: 296, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg13.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg17.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg4.tmp
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg5.tmp
Status: Allocation size mismatch (API: 632, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg6.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg7.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg8.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcg9.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcga.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcgb.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcgc.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\bcgd.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\sqlite_qnhctwtlugyxv76
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\chan\local settings\temp\~dff2da.tmp
Status: Allocation size mismatch (API: 327680, Raw: 16384)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x898a83f8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x898073f8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x897d0088

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x89792298

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89beb2e8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xae054130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8990ffc0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x897cbfc0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x899b2858

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89792378

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xae0543b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xae054910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x896de078

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89788080

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x899abad0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x899abbb0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x898b7208

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x897a2148

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89864348

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8968d060

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x897d0158

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89859d48

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x896de148

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8999af18

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x899b2700

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89668270

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89668330

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x89792438

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xae054b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89864268

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89807498

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x898ab640

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89807558

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x897a2088

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89788150

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8980e220

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x89788e08

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x896c91d8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x897a4dc8

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x899b8638

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x89661f38

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x899bd300

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x899b62e8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x886f8050

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x898b03a0

==EOF==

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 05:09 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 christians_sin

christians_sin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 31 January 2010 - 09:00 AM

Malwarebytes' Anti-Malware 1.44
Database version: 3667
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/31/2010 7:39:34 AM
mbam-log-2010-01-31 (07-39-34).txt

Scan type: Quick Scan
Objects scanned: 123173
Time elapsed: 10 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13






OTL logfile created on: 1/31/2010 7:53:27 AM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Chan\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 90.89 Gb Free Space | 81.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HEBERT
Current User Name: Chan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/31 07:52:32 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTL.exe
PRC - [2010/01/30 15:44:39 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/30 15:44:36 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/01/09 18:53:29 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
PRC - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/04 13:16:54 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/06/16 14:36:22 | 003,272,704 | ---- | M] () -- C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
PRC - [2009/06/04 15:49:18 | 000,278,528 | ---- | M] () -- C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
PRC - [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/06/19 00:40:15 | 000,065,536 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2005/12/27 09:20:14 | 000,413,696 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2004/08/10 13:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [1997/08/19 00:00:00 | 000,111,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\FINDFAST.EXE


========== Modules (SafeList) ==========

MOD - [2010/01/31 07:52:32 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTL.exe
MOD - [2010/01/09 18:53:21 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\asOEHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/30 15:44:36 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/01/18 15:35:10 | 000,044,576 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/01/09 18:53:29 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe -- (N360)
SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/04 13:17:00 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2009/09/04 13:16:54 | 005,893,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/09/04 13:16:54 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/06/04 15:49:18 | 000,278,528 | ---- | M] () [Auto | Running] -- C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe -- (WSWNDA3100)
SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/06/08 12:24:48 | 000,313,840 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2008/06/08 12:24:44 | 000,170,480 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2008/06/08 12:24:26 | 001,108,464 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2008/04/13 18:12:02 | 000,065,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\nwwks.dll -- (NWCWorkstation)
SRV - [2007/12/06 23:20:56 | 000,088,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2007/12/06 23:20:52 | 000,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/06/19 00:40:15 | 000,065,536 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2004/10/22 03:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\S-1-5-21-4207527102-2750839108-3553683192-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\S-1-5-21-4207527102-2750839108-3553683192-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/01/26 23:28:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2010/01/26 23:28:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6AAF9B4C-5031-42E5-8486-B5999797F799}: C:\Documents and Settings\Chan\Local Settings\Application Data\{6AAF9B4C-5031-42E5-8486-B5999797F799} [2010/01/18 14:41:23 | 000,000,000 | ---D | M]

[2010/01/10 10:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\Mozilla\Extensions
[2010/01/10 10:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2004/08/10 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Jgovixejower] C:\WINDOWS\aroyokuyepebeham.DLL (AGEIA Technologies, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-4207527102-2750839108-3553683192-1006_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.105.2.2 10.105.2.4
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Chan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Chan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 03:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/12/29 21:20:36 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - C:\WINDOWS\system32\nwwks.dll (Microsoft Corporation)
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17736316556935168)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/31 07:52:26 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTL.exe
[2010/01/31 07:26:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Application Data\Malwarebytes
[2010/01/31 07:26:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/31 07:26:47 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/31 07:26:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/31 07:26:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/31 07:26:23 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Chan\Desktop\mbam-setup.exe
[2010/01/30 16:02:38 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/26 23:28:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Local Settings\Application Data\eMusic
[2010/01/26 23:28:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Application Data\eMusic
[2010/01/26 23:28:42 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Chan\My Documents\My eMusic
[2010/01/26 23:28:36 | 000,000,000 | ---D | C] -- C:\Program Files\eMusic Download Manager
[2010/01/26 20:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2010/01/20 21:44:12 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/01/20 21:40:33 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/01/20 21:40:04 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/01/20 21:40:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/01/20 21:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/01/20 21:32:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/01/20 21:32:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/01/20 12:02:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Desktop\Charlie and Jackie
[2010/01/20 08:02:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Application Data\ZoomBrowser EX
[2010/01/19 21:50:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Local Settings\Application Data\Identities
[2010/01/19 21:13:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Application Data\Canon
[2010/01/19 21:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Local Settings\Application Data\CANON_INC
[2010/01/19 21:05:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2010/01/19 21:04:25 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2010/01/19 21:02:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Canon
[2010/01/18 22:49:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Application Data\Uniblue
[2010/01/18 22:43:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/01/18 22:30:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/01/18 20:19:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\N360_BACKUP
[2010/01/18 15:56:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\My Documents\My Corel Shows
[2010/01/18 15:56:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Local Settings\Application Data\Corel
[2010/01/18 15:52:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Application Data\Corel
[2010/01/18 15:50:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Protexis
[2010/01/18 15:50:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Corel
[2010/01/18 15:50:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Corel
[2010/01/18 15:44:53 | 000,000,000 | ---D | C] -- C:\Program Files\Corel
[2010/01/18 15:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/01/18 15:35:10 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/01/18 15:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Application Data\gtk-2.0
[2010/01/18 15:30:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\.thumbnails
[2010/01/18 15:28:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\.gimp-2.6
[2010/01/18 15:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\My Documents\gegl-0.0
[2010/01/18 14:41:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Local Settings\Application Data\{6AAF9B4C-5031-42E5-8486-B5999797F799}
[2010/01/18 14:37:41 | 000,044,032 | ---- | C] (ImTOO Software Studio) -- C:\WINDOWS\npwu72278.exe
[2010/01/18 14:31:05 | 000,000,000 | ---D | C] -- C:\sysmon
[2010/01/10 18:56:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2010/01/09 21:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/06/17 03:45:25 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/06/17 03:45:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/06/17 03:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/31 07:52:32 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTL.exe
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/31 07:45:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/31 07:45:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/31 07:43:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Chan\ntuser.ini
[2010/01/31 07:43:34 | 002,359,296 | -H-- | M] () -- C:\Documents and Settings\Chan\NTUSER.DAT
[2010/01/31 07:43:13 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Malwarebytes.doc
[2010/01/31 07:26:52 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/31 07:26:23 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Chan\Desktop\mbam-setup.exe
[2010/01/30 19:32:55 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ctuwihuvuwox.dat
[2010/01/30 19:26:48 | 001,544,192 | -H-- | M] () -- C:\ffastun0.ffx
[2010/01/30 19:26:48 | 000,409,600 | -H-- | M] () -- C:\ffastun.ffl
[2010/01/30 19:26:48 | 000,147,456 | -H-- | M] () -- C:\ffastun.ffo
[2010/01/30 19:26:48 | 000,004,413 | -H-- | M] () -- C:\ffastun.ffa
[2010/01/30 18:06:26 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/01/30 16:48:32 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/30 16:48:32 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/30 16:48:32 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/30 16:02:39 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\HijackThis.lnk
[2010/01/30 15:10:11 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/30 13:26:23 | 000,000,088 | RHS- | M] () -- C:\Documents and Settings\All Users\Application Data\0C54823919.sys
[2010/01/30 13:26:07 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Oqopupukaleg.bin
[2010/01/30 13:23:11 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/26 20:58:44 | 000,040,823 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\2009_Federal_Return.pdf
[2010/01/26 20:49:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/24 14:38:00 | 000,121,528 | ---- | M] () -- C:\Documents and Settings\Chan\My Documents\test3.gif
[2010/01/24 12:09:45 | 000,123,200 | ---- | M] () -- C:\Documents and Settings\Chan\My Documents\test5.gif
[2010/01/24 11:25:00 | 000,122,811 | ---- | M] () -- C:\Documents and Settings\Chan\My Documents\test.gif
[2010/01/22 12:07:19 | 000,000,488 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/01/19 21:54:17 | 000,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/19 21:54:17 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/19 21:54:17 | 000,000,197 | RHS- | M] () -- C:\boot.ini
[2010/01/18 23:11:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/18 15:57:00 | 000,005,632 | ---- | M] () -- C:\Documents and Settings\Chan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/18 15:30:23 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\Chan\.recently-used.xbel
[2010/01/18 14:37:41 | 000,044,032 | ---- | M] (ImTOO Software Studio) -- C:\WINDOWS\npwu72278.exe
[2010/01/18 14:18:07 | 000,177,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/31 07:43:13 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Malwarebytes.doc
[2010/01/31 07:26:52 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/30 16:02:39 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\HijackThis.lnk
[2010/01/26 20:58:44 | 000,040,823 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\2009_Federal_Return.pdf
[2010/01/24 14:38:00 | 000,121,528 | ---- | C] () -- C:\Documents and Settings\Chan\My Documents\test3.gif
[2010/01/24 12:09:45 | 000,123,200 | ---- | C] () -- C:\Documents and Settings\Chan\My Documents\test5.gif
[2010/01/24 11:24:59 | 000,122,811 | ---- | C] () -- C:\Documents and Settings\Chan\My Documents\test.gif
[2010/01/22 11:36:15 | 000,000,488 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/01/20 21:44:50 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/20 21:44:50 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/20 21:44:50 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/20 21:44:50 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/20 21:44:50 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/18 15:55:48 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/01/18 15:55:48 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\0C54823919.sys
[2010/01/18 15:30:23 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\Chan\.recently-used.xbel
[2010/01/18 14:41:23 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ctuwihuvuwox.dat
[2010/01/18 14:41:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oqopupukaleg.bin
[2010/01/16 04:38:57 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/01/13 19:09:53 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Chan\Local Settings\Application Data\fusioncache.dat
[2010/01/09 21:38:38 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Chan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/09 19:45:34 | 000,157,696 | ---- | C] () -- C:\Documents and Settings\Chan\Application Data\SharedSettings.ccs
[2010/01/09 19:45:15 | 000,000,352 | ---- | C] () -- C:\WINDOWS\System32\xpysys.dll
[2010/01/09 17:37:00 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/06/21 03:48:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/17 03:24:58 | 000,000,376 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/06/17 03:24:57 | 000,000,445 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/08/05 22:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[1997/08/19 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/08/19 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2010/01/20 21:33:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/01/22 12:09:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/01/09 20:28:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/01/20 21:40:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/01/19 21:13:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\Canon
[2010/01/10 19:43:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\CoffeeCup Software
[2010/01/16 02:57:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\CoreFTP
[2010/01/26 23:28:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\eMusic
[2010/01/18 15:31:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\gtk-2.0
[2010/01/18 14:57:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\LimeWire
[2010/01/10 17:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\Panasonic
[2010/01/10 18:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\Research In Motion
[2010/01/18 22:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chan\Application Data\Uniblue
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/01/31 07:50:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/10 13:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/01/16 02:54:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/10 13:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2010/01/16 02:54:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 17:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 13:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/01/16 02:54:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/10 13:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2010/01/16 02:54:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/10 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/07/06 07:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\I386\DRV\SCS\iastor.sys
[2010/01/24 10:46:49 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/10 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 18:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2009/12/21 13:14:03 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< >
< End of report >

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: mqgrfg.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mqgrfg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 1 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 2 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 2 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 3 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 3 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 4 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 4 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 5 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 5 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 6 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 6 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\SafeStart.exe (Rogue.Installer) -> Quarantined and deleted successfully.







OTL Extras logfile created on: 1/31/2010 7:53:27 AM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Chan\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 90.89 Gb Free Space | 81.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HEBERT
Current User Name: Chan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with Corel Paint Shop Pro Photo X2] -- "C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C7839E7-21F4-49E0-B4D5-AC8ED818CCB0}" = NETGEAR WNDA3100v2 wireless USB 2.0 adapter
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{459E93B6-150E-45d5-8D4B-45C66FC035FE}" = getPlus® Download Manager for Corel
"{5F638781-7754-411F-974C-F20F27292E24}" = VideoCam Suite
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7CB1E63B-C999-4D17-8133-E138F41D9ECF}" = BlackBerry Desktop Software 4.6
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9EDF1A5D-D8E0-413E-9782-75DD4A8C831B}" = VideoCam Suite 1.0
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon Camera WIA Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EC90EAE9-0E03-44A1-BF36-0B670B8B8E19}" = CoffeeCup Direct FTP
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6377647-81AF-41C0-BC7E-06CF37E204AB}" = Roxio Media Manager
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"BlackBerry_{7CB1E63B-C999-4D17-8133-E138F41D9ECF}" = BlackBerry Desktop Software 4.6
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 3.4
"eMusic Download Manager" = eMusic Download Manager 4.1.4
"EOS Utility" = Canon Utilities EOS Utility
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon EOS 5D WIA Driver
"LimeWire" = LimeWire 5.4.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSNINST" = MSN
"MyCamera" = Canon Utilities MyCamera
"N360" = Norton 360 Premier Edition
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Style Editor" = Canon Utilities Picture Style Editor
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WFTK" = Canon Utilities WFT-E1/E2/E3 Utility
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"Word8.0" = Microsoft Word 97
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
"Zune" = Zune

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/10/2010 9:29:49 PM | Computer Name = HEBERT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/11/2010 10:10:48 PM | Computer Name = HEBERT | Source = WPDMTPDriver | ID = 80836
Description =

Error - 1/13/2010 10:36:01 PM | Computer Name = HEBERT | Source = Application Error | ID = 1000
Description = Faulting application psp.exe, version 7.0.0.0, faulting module psp.exe,
version 7.0.0.0, fault address 0x0015ef57.

Error - 1/16/2010 4:40:02 AM | Computer Name = HEBERT | Source = Application Hang | ID = 1002
Description = Hanging application psp.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/16/2010 4:40:38 AM | Computer Name = HEBERT | Source = Application Hang | ID = 1001
Description = Fault bucket 02023212.

Error - 1/16/2010 4:41:12 AM | Computer Name = HEBERT | Source = Application Hang | ID = 1002
Description = Hanging application psp.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/16/2010 4:42:29 AM | Computer Name = HEBERT | Source = Application Hang | ID = 1002
Description = Hanging application psp.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/20/2010 11:47:54 AM | Computer Name = HEBERT | Source = Application Error | ID = 1000
Description = Faulting application corel paint shop pro photo.exe, version 12.5.0.0,
faulting module cmdbase2.dll, version 12.5.0.0, fault address 0x00066aa6.

Error - 1/20/2010 11:40:47 PM | Computer Name = HEBERT | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/26/2010 9:46:51 PM | Computer Name = HEBERT | Source = Application Error | ID = 1000
Description = Faulting application wnda3100v2.exe, version 1.0.2.23, faulting module
wnda3100v2.exe, version 1.0.2.23, fault address 0x000382a3.

[ System Events ]
Error - 1/26/2010 12:26:30 PM | Computer Name = HEBERT | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
DORIS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{9110667A-CB20-4984-925.
The
master browser is stopping or an election is being forced.

Error - 1/26/2010 9:13:27 PM | Computer Name = HEBERT | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher
9 service to connect.

Error - 1/26/2010 9:15:27 PM | Computer Name = HEBERT | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.3 for the Network Card with network
address 0024B2F6624F has been denied by the DHCP server 10.105.88.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/27/2010 1:44:12 AM | Computer Name = HEBERT | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.

Error - 1/27/2010 1:50:43 AM | Computer Name = HEBERT | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 1/27/2010 1:50:43 AM | Computer Name = HEBERT | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/30/2010 3:24:35 PM | Computer Name = HEBERT | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher
9 service to connect.

Error - 1/30/2010 9:48:18 PM | Computer Name = HEBERT | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 1/30/2010 9:48:18 PM | Computer Name = HEBERT | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/31/2010 9:21:37 AM | Computer Name = HEBERT | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher
9 service to connect.


< End of report >


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 09:39 AM

You only posted part of the Malwarebytes log. I need to see the entire log.

Open Malwarebytes.
Select the Logs tab.
Open the log from the scan that you did.
Copy and paste the entire log back here.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 09:42 AM

Never mind, I see that second part of the log down after the end of the first OTL log.


We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 christians_sin

christians_sin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 31 January 2010 - 09:43 AM

I'm sorry,


Malwarebytes' Anti-Malware 1.44
Database version: 3667
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/31/2010 7:39:34 AM
mbam-log-2010-01-31 (07-39-34).txt

Scan type: Quick Scan
Objects scanned: 123173
Time elapsed: 10 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: mqgrfg.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mqgrfg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 1 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 2 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 2 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 3 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 3 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 4 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 4 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 5 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 5 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 6 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 6 for Jasc Paint Shop Pro 9 01 By SerdaL.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\SafeStart.exe (Rogue.Installer) -> Quarantined and deleted successfully.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 09:47 AM

I think we may have been posting at the same time. Did you see my previous post?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 christians_sin

christians_sin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 31 January 2010 - 09:49 AM

08:48:34:375 8096 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
08:48:34:375 8096 ================================================================================
08:48:34:375 8096 SystemInfo:

08:48:34:375 8096 OS Version: 5.1.2600 ServicePack: 3.0
08:48:34:375 8096 Product type: Workstation
08:48:34:375 8096 ComputerName: HEBERT
08:48:34:375 8096 UserName: Chan
08:48:34:375 8096 Windows directory: C:\WINDOWS
08:48:34:375 8096 Processor architecture: Intel x86
08:48:34:375 8096 Number of processors: 2
08:48:34:375 8096 Page size: 0x1000
08:48:34:375 8096 Boot type: Normal boot
08:48:34:375 8096 ================================================================================
08:48:34:390 8096 UnloadDriverW: NtUnloadDriver error 2
08:48:34:390 8096 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:48:34:390 8096 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
08:48:34:484 8096 UtilityInit: KLMD drop and load success
08:48:34:484 8096 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
08:48:34:484 8096 UtilityInit: KLMD open success
08:48:34:484 8096 UtilityInit: Initialize success
08:48:34:484 8096
08:48:34:484 8096 Scanning Services ...
08:48:34:484 8096 CreateRegParser: Registry parser init started
08:48:34:484 8096 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
08:48:34:484 8096 CreateRegParser: DisableWow64Redirection error
08:48:34:484 8096 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:48:34:484 8096 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
08:48:34:484 8096 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:48:34:484 8096 wfopen_ex: Trying to KLMD file open
08:48:34:484 8096 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
08:48:34:484 8096 wfopen_ex: File opened ok (Flags 2)
08:48:34:484 8096 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264948
08:48:34:484 8096 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:48:34:484 8096 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
08:48:34:484 8096 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:48:34:484 8096 wfopen_ex: Trying to KLMD file open
08:48:34:484 8096 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
08:48:34:484 8096 wfopen_ex: File opened ok (Flags 2)
08:48:34:484 8096 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 2649F0
08:48:34:484 8096 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
08:48:34:484 8096 CreateRegParser: EnableWow64Redirection error
08:48:34:484 8096 CreateRegParser: RegParser init completed
08:48:34:546 8096 GetAdvancedServicesInfo: Raw services enum returned 368 services
08:48:34:546 8096 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:48:34:546 8096 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:48:34:546 8096
08:48:34:562 8096 Scanning Kernel memory ...
08:48:34:562 8096 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
08:48:34:562 8096 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89D34C08
08:48:34:562 8096 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
08:48:34:562 8096
08:48:34:562 8096 DetectCureTDL3: DEVICE_OBJECT: 8A72A438
08:48:34:562 8096 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A72A438
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x8A72A438[0x38]
08:48:34:562 8096 DetectCureTDL3: DRIVER_OBJECT: 89D34C08
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x89D34C08[0xA8]
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0xE1008AD8[0x18]
08:48:34:562 8096 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
08:48:34:562 8096 DetectCureTDL3: IrpHandler (0) addr: BA99EBB0
08:48:34:562 8096 DetectCureTDL3: IrpHandler (1) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (2) addr: BA99EBB0
08:48:34:562 8096 DetectCureTDL3: IrpHandler (3) addr: BA998D1F
08:48:34:562 8096 DetectCureTDL3: IrpHandler (4) addr: BA998D1F
08:48:34:562 8096 DetectCureTDL3: IrpHandler (5) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (6) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (7) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (8) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (9) addr: BA9992E2
08:48:34:562 8096 DetectCureTDL3: IrpHandler (10) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (11) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (12) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (13) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (14) addr: BA9993BB
08:48:34:562 8096 DetectCureTDL3: IrpHandler (15) addr: BA99CF28
08:48:34:562 8096 DetectCureTDL3: IrpHandler (16) addr: BA9992E2
08:48:34:562 8096 DetectCureTDL3: IrpHandler (17) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (18) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (19) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (20) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (21) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (22) addr: BA99AC82
08:48:34:562 8096 DetectCureTDL3: IrpHandler (23) addr: BA99F99E
08:48:34:562 8096 DetectCureTDL3: IrpHandler (24) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (25) addr: 804F4562
08:48:34:562 8096 DetectCureTDL3: IrpHandler (26) addr: 804F4562
08:48:34:562 8096 TDL3_FileDetect: Processing driver: Disk
08:48:34:562 8096 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
08:48:34:562 8096 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
08:48:34:562 8096 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
08:48:34:562 8096
08:48:34:562 8096 DetectCureTDL3: DEVICE_OBJECT: 8A6F2AB8
08:48:34:562 8096 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6F2AB8
08:48:34:562 8096 DetectCureTDL3: DEVICE_OBJECT: 8A6F6438
08:48:34:562 8096 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6F6438
08:48:34:562 8096 DetectCureTDL3: DEVICE_OBJECT: 8A724030
08:48:34:562 8096 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A724030
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x8A724030[0x38]
08:48:34:562 8096 DetectCureTDL3: DRIVER_OBJECT: 89D34030
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x89D34030[0xA8]
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x8A689468[0x38]
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x8A689F38[0xA8]
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0xE1015FE0[0x1C]
08:48:34:562 8096 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
08:48:34:562 8096 DetectCureTDL3: IrpHandler (0) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (1) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (2) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (3) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (4) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (5) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (6) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (7) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (8) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (9) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (10) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (11) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (12) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (13) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (14) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (15) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (16) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (17) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (18) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (19) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (20) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (21) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (22) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (23) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (24) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (25) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: IrpHandler (26) addr: 8A624856
08:48:34:562 8096 DetectCureTDL3: All IRP handlers pointed to one addr: 8A624856
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x8A624856[0x400]
08:48:34:562 8096 TDL3_IrpHookDetect: TDL3 is already cured
08:48:34:562 8096 KLMD_ReadMem: Trying to ReadMemory 0x8A624701[0x400]
08:48:34:562 8096 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
08:48:34:562 8096 TDL3_FileDetect: Processing driver: iaStor
08:48:34:562 8096 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
08:48:34:562 8096 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
08:48:34:562 8096 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\IASTOR.SYS - Verdict: Infected
08:48:34:562 8096 File C:\WINDOWS\system32\DRIVERS\IASTOR.SYS infected by TDSS rootkit ... 08:48:34:562 8096 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
08:48:34:562 8096 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
08:48:34:562 8096 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
08:48:34:593 8096 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
08:48:34:593 8096 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
08:48:34:593 8096 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
08:48:34:609 8096 TDL3_FileCure: Backup copy not found, trying to cure infected file..
08:48:34:609 8096 TDL3_FileCure: C:\WINDOWS\system32\DRIVERS\IASTOR.SYS - Verdict: Cure failed (FFFFFFFF)
08:48:34:609 8096 cure failed
08:48:34:609 8096
08:48:34:609 8096 Completed
08:48:34:609 8096
08:48:34:609 8096 Results:
08:48:34:609 8096 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
08:48:34:609 8096 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:48:34:609 8096 File objects infected / cured / cured on reboot: 1 / 0 / 0
08:48:34:609 8096
08:48:34:625 8096 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
08:48:34:625 8096 UtilityDeinit: KLMD(ARK) unloaded successfully


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 09:57 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 christians_sin

christians_sin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 31 January 2010 - 11:10 AM

I installed and followed the instructions, just making sure that it should take this long or should I do something else. It's been at the scanning stage for over an hour now.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 01:06 PM

No, a typical scan should take around 20 minutes or so depending on how much your drive is. If it's still stuck you can use task manager to stop it. Then let's try it again with a variation.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 christians_sin

christians_sin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 31 January 2010 - 02:10 PM

I tried Task Manager, but it wouldn't shut the program down. Had to do a hard shut down. Finally got it to run the program. Now, not sure if this is related or just something else, my NetGear won't open so I can connect to the internet.
Here's the log:

ComboFix 10-01-30.07 - Chan 01/31/2010 12:43:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1560 [GMT -6:00]
Running from: c:\documents and settings\Chan\Desktop\Combo-Fix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Chan\Local Settings\Application Data\{6AAF9B4C-5031-42E5-8486-B5999797F799}\chrome.manifest
c:\documents and settings\Chan\Local Settings\Application Data\{6AAF9B4C-5031-42E5-8486-B5999797F799}\chrome\content\_cfg.js
c:\documents and settings\Chan\Local Settings\Application Data\{6AAF9B4C-5031-42E5-8486-B5999797F799}\chrome\content\overlay.xul
c:\documents and settings\Chan\Local Settings\Application Data\{6AAF9B4C-5031-42E5-8486-B5999797F799}\install.rdf
c:\windows\aroyokuyepebeham.dll
c:\windows\kb913800.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xpysys.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-31 13:26 . 2010-01-31 13:26 -------- d-----w- c:\documents and settings\Chan\Application Data\Malwarebytes
2010-01-31 13:26 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 13:26 . 2010-01-31 13:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 13:26 . 2010-01-31 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-31 13:26 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 01:30 . 2010-01-09 05:21 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\NAVENG.SYS
2010-01-31 01:30 . 2010-01-09 05:21 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\EECTRL.SYS
2010-01-31 01:30 . 2010-01-09 05:21 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\CCERASER.DLL
2010-01-31 01:30 . 2010-01-09 05:21 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\ECMSVR32.DLL
2010-01-31 01:30 . 2010-01-09 05:21 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\NAVENG32.DLL
2010-01-31 01:30 . 2010-01-09 05:21 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\NAVEX32A.DLL
2010-01-31 01:30 . 2010-01-09 05:21 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\NAVEX15.SYS
2010-01-31 01:30 . 2010-01-09 05:21 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100130.021\ERASER.SYS
2010-01-30 22:02 . 2010-01-30 22:02 -------- d-----w- c:\program files\Trend Micro
2010-01-30 21:45 . 2010-01-30 21:45 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-30 21:45 . 2010-01-30 21:45 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-30 21:45 . 2010-01-30 21:45 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-21 03:42 . 2010-01-30 21:44 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-21 03:42 . 2010-01-30 21:44 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-21 03:42 . 2010-01-30 21:44 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-21 03:42 . 2010-01-30 21:44 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-21 03:42 . 2010-01-30 21:44 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-21 03:40 . 2010-01-21 03:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-21 03:40 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-21 03:40 . 2010-01-21 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-21 03:40 . 2010-01-21 03:40 -------- d-----w- c:\program files\Lavasoft
2010-01-21 03:33 . 2010-01-21 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-21 03:32 . 2010-01-21 03:32 -------- d-----w- c:\program files\Common Files\iS3
2010-01-21 03:32 . 2010-01-22 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-01-20 14:02 . 2010-01-20 14:02 -------- d-----w- c:\documents and settings\Chan\Application Data\ZoomBrowser EX
2010-01-20 03:50 . 2010-01-20 03:50 -------- d-----w- c:\documents and settings\Chan\Local Settings\Application Data\Identities
2010-01-20 03:13 . 2010-01-20 03:13 -------- d-----w- c:\documents and settings\Chan\Application Data\Canon
2010-01-20 03:12 . 2010-01-20 03:12 -------- d-----w- c:\documents and settings\Chan\Local Settings\Application Data\CANON_INC
2010-01-20 03:12 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-20 03:12 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-20 03:12 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-20 03:12 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-20 03:05 . 2010-01-20 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-20 03:04 . 2010-01-20 03:06 -------- d-----w- c:\program files\Canon
2010-01-20 03:02 . 2010-01-20 03:02 -------- d-----w- c:\program files\Common Files\Canon
2010-01-19 04:49 . 2010-01-19 04:49 -------- d-----w- c:\documents and settings\Chan\Application Data\Uniblue
2010-01-19 04:43 . 2010-01-19 04:43 -------- d-----w- c:\windows\Sun
2010-01-19 02:19 . 2010-01-19 02:19 -------- d-----w- c:\windows\system32\N360_BACKUP
2010-01-18 21:56 . 2010-01-30 19:27 -------- d-----w- c:\documents and settings\Chan\Local Settings\Application Data\Corel
2010-01-18 21:55 . 2010-01-31 00:06 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-18 21:55 . 2010-01-30 19:26 88 --sh--r- c:\documents and settings\All Users\Application Data\0C54823919.sys
2010-01-18 21:52 . 2010-01-18 21:55 -------- d-----w- c:\documents and settings\Chan\Application Data\Corel
2010-01-18 21:50 . 2010-01-18 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-01-18 21:50 . 2010-01-18 21:51 -------- d-----w- c:\program files\Common Files\Corel
2010-01-18 21:50 . 2010-01-18 21:50 -------- d-----w- c:\program files\Common Files\Protexis
2010-01-18 21:44 . 2010-01-18 21:50 -------- d-----w- c:\program files\Corel
2010-01-18 21:35 . 2010-01-18 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-18 21:35 . 2010-01-18 21:35 -------- d-----w- c:\program files\NOS
2010-01-18 21:30 . 2010-01-18 21:31 -------- d-----w- c:\documents and settings\Chan\Application Data\gtk-2.0
2010-01-18 21:30 . 2010-01-18 21:30 -------- d-----w- c:\documents and settings\Chan\.thumbnails
2010-01-18 21:28 . 2010-01-18 21:33 -------- d-----w- c:\documents and settings\Chan\.gimp-2.6
2010-01-18 20:48 . 2010-01-18 20:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-18 20:41 . 2010-01-31 18:20 0 ----a-w- c:\windows\Oqopupukaleg.bin
2010-01-18 20:41 . 2010-01-31 18:20 120 ----a-w- c:\windows\Ctuwihuvuwox.dat
2010-01-18 20:37 . 2010-01-18 20:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-18 20:37 . 2010-01-18 20:37 44032 ----a-w- c:\windows\npwu72278.exe
2010-01-18 20:31 . 2010-01-18 20:31 -------- d-----w- C:\sysmon
2010-01-16 10:38 . 2010-01-16 10:40 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-16 09:03 . 2010-01-16 09:03 -------- d-----w- c:\windows\system32\scripting
2010-01-16 09:03 . 2010-01-16 09:03 -------- d-----w- c:\windows\l2schemas
2010-01-16 09:03 . 2010-01-16 09:03 -------- d-----w- c:\windows\system32\en
2010-01-16 09:03 . 2010-01-16 09:03 -------- d-----w- c:\windows\system32\bits
2010-01-16 08:51 . 2010-01-16 08:57 -------- d-----w- c:\documents and settings\Chan\Application Data\CoreFTP
2010-01-16 08:39 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\Scxpx86.dll
2010-01-16 08:39 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSvix86.sys
2010-01-16 08:39 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSXpx86.sys
2010-01-16 08:39 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSxpx86.dll
2010-01-16 08:39 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSviA64.sys
2010-01-14 01:35 . 2010-01-16 08:37 -------- d-----w- c:\documents and settings\Chan\Local Settings\Application Data\Google
2010-01-14 01:35 . 2010-01-16 08:38 -------- d-----w- c:\program files\Google
2010-01-14 01:09 . 2010-01-14 01:09 127 ----a-w- c:\documents and settings\Chan\Local Settings\Application Data\fusioncache.dat
2010-01-13 23:53 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 03:59 . 2010-01-12 03:59 -------- d-----w- c:\program files\MSXML 4.0
2010-01-12 02:57 . 2004-08-24 17:06 319488 ----a-w- c:\windows\system32\PolarZIPLight.dll
2010-01-11 00:56 . 2010-01-11 00:56 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-01-11 00:56 . 2010-01-11 00:56 -------- d-----w- c:\documents and settings\Chan\Application Data\Roxio
2010-01-11 00:55 . 2010-01-11 01:18 256 ----a-w- c:\windows\system32\pool.bin
2010-01-11 00:55 . 2010-01-11 00:55 -------- d-----w- c:\documents and settings\Chan\Application Data\Research In Motion
2010-01-11 00:53 . 2010-01-11 00:53 152576 ----a-w- c:\documents and settings\Chan\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-11 00:53 . 2010-01-11 00:53 79488 ----a-w- c:\documents and settings\Chan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-11 00:30 . 2010-01-11 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-01-11 00:30 . 2010-01-11 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-01-11 00:28 . 2010-01-11 00:28 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-11 00:28 . 2010-01-11 00:29 -------- d-----w- c:\program files\Roxio
2010-01-11 00:28 . 2010-01-11 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-11 00:28 . 2010-01-11 00:29 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-11 00:24 . 2007-01-18 16:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-01-11 00:23 . 2010-01-11 00:23 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-01-11 00:23 . 2010-01-11 00:23 -------- d-----w- c:\program files\Research In Motion
2010-01-11 00:18 . 2010-01-11 00:18 -------- d-sh--w- c:\windows\ftpcache
2010-01-10 23:39 . 2010-01-10 23:39 -------- d-----w- c:\documents and settings\Chan\Application Data\Panasonic
2010-01-10 23:38 . 2010-01-10 23:38 -------- d-----w- C:\MC_TMP
2010-01-10 23:35 . 2006-02-21 01:17 33408 ----a-w- c:\windows\system32\drivers\cdrbsdrv.sys
2010-01-10 23:35 . 2007-06-15 18:57 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2010-01-10 23:35 . 2007-06-15 18:57 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2010-01-10 23:35 . 2004-11-20 00:21 36864 ----a-w- c:\windows\system32\sddevmgr.dll
2010-01-10 23:34 . 2010-01-10 23:34 -------- d-----w- c:\program files\Panasonic
2010-01-10 23:07 . 2010-01-10 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-10 16:06 . 2009-10-11 10:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-10 16:06 . 2010-01-11 00:54 -------- d-----w- c:\program files\Java
2010-01-10 16:06 . 2010-01-10 16:06 152576 ----a-w- c:\documents and settings\Chan\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-10 16:05 . 2010-01-10 16:06 -------- d-----w- c:\program files\LimeWire
2010-01-10 04:53 . 2010-01-16 10:59 -------- d-----w- c:\program files\Jasc Software Inc
2010-01-10 03:32 . 2008-11-08 00:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-01-10 03:32 . 2010-01-10 03:33 -------- d-----w- c:\program files\Zune
2010-01-10 03:31 . 2009-11-13 22:57 922112 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-01-10 03:31 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-01-10 03:31 . 2009-11-13 22:57 426496 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-01-10 03:31 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2010-01-10 03:31 . 2008-05-02 10:49 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-01-10 03:30 . 2010-01-10 15:06 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-01-10 03:05 . 2010-01-10 03:05 -------- d-----w- c:\program files\MSXML 6.0
2010-01-10 03:05 . 2010-01-10 03:11 -------- d-----w- C:\56fd00982500ce1f6b522b34a5ae1d
2010-01-10 02:28 . 2010-01-10 02:29 -------- d-----w- c:\documents and settings\Chan\Application Data\Apple Computer
2010-01-10 02:28 . 2010-01-10 02:28 -------- d-----w- c:\program files\iPod
2010-01-10 02:28 . 2010-01-10 02:28 -------- d-----w- c:\program files\iTunes
2010-01-10 02:28 . 2010-01-10 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-10 02:27 . 2010-01-10 02:27 -------- d-----w- c:\program files\Bonjour
2010-01-10 02:27 . 2010-01-19 04:35 -------- d-----w- c:\program files\QuickTime
2010-01-10 02:27 . 2010-01-10 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 18:15 . 2006-08-18 23:56 246784 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-01-30 21:45 . 2010-01-21 03:44 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-30 21:45 . 2010-01-21 03:43 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-30 21:45 . 2010-01-21 03:43 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-30 21:45 . 2010-01-21 03:43 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-30 21:45 . 2010-01-21 03:43 389272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-30 21:45 . 2010-01-21 03:43 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-30 21:45 . 2010-01-21 03:42 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-30 21:45 . 2010-01-30 21:45 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-30 21:45 . 2010-01-21 03:42 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-30 21:45 . 2010-01-21 03:42 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-30 21:10 . 2009-12-30 02:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 05:28 . 2010-01-27 05:28 -------- d-----w- c:\documents and settings\Chan\Application Data\eMusic
2010-01-27 05:28 . 2010-01-27 05:28 -------- d-----w- c:\program files\eMusic Download Manager
2010-01-22 18:07 . 2010-01-22 17:36 488 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-18 21:56 . 2006-06-19 04:25 39896 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-18 20:57 . 2010-01-10 16:07 -------- d-----w- c:\documents and settings\Chan\Application Data\LimeWire
2010-01-16 09:06 . 2006-06-17 09:39 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-14 01:47 . 2010-01-14 01:51 1614 ----a-w- c:\windows\Fonts\Gabriele.pfm
2010-01-11 00:28 . 2010-01-09 22:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-10 15:07 . 2010-01-10 15:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-01-10 15:07 . 2010-01-10 15:07 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-01-10 15:06 . 2010-01-10 15:06 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-01-10 03:32 . 2010-01-10 03:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-01-10 03:32 . 2010-01-10 03:32 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-01-10 03:09 . 2010-01-10 03:09 -------- d-----w- c:\program files\MSBuild
2010-01-10 03:09 . 2010-01-10 03:09 -------- d-----w- c:\program files\Reference Assemblies
2010-01-10 01:15 . 2010-01-10 00:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-09 22:26 . 2010-01-09 22:26 -------- d-----w- c:\program files\SigmaTel
2009-12-21 19:14 . 2006-06-17 09:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-02 13:19 . 2010-01-21 03:44 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-21 15:51 . 2009-08-09 18:43 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-19 111376]
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-1-9 3272704]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto run of VideoCam Suite 1.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Auto run of VideoCam Suite 1.0.lnk
backup=c:\windows\pss\Auto run of VideoCam Suite 1.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chan^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Chan\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2009-01-21 23:34 16712 ----a-r- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2009-01-21 23:34 532808 ----a-r- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-06-08 18:24 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 19:16 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/20/2010 9:44 PM 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [1/9/2010 6:53 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [1/9/2010 6:53 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [1/9/2010 6:53 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100128.002\IDSXpx86.sys [1/30/2010 1:35 PM 329592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe [1/9/2010 6:53 PM 117640]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [1/9/2010 5:37 PM 632576]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/8/2010 11:21 PM 102448]
S2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [1/9/2010 5:36 PM 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-31 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:44]

2010-01-31 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:44]

2010-01-31 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:44]

2010-01-31 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:44]

2010-01-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:44]

2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-Jgovixejower - c:\windows\aroyokuyepebeham.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Jgovixejower - c:\windows\aroyokuyepebeham.dll
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-31 12:49:42
ComboFix-quarantined-files.txt 2010-01-31 18:49

Pre-Run: 97,595,973,632 bytes free
Post-Run: 97,550,970,880 bytes free

- - End Of File - - 6CD8E907129CA862A4A84AAE84171AD5


#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 02:23 PM

Prior to losing your connection were you still being redirected on your searches?


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 christians_sin

christians_sin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 31 January 2010 - 02:25 PM

I didn't have a page open due to not having my virus protection, etc on. So, I'm not sure if the problem was still there or not.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:25 AM

Posted 31 January 2010 - 02:30 PM

You need to get your connection restored before we can proceed. I'm not real familiar with Netgear, but I don't see anything in the log that should have affected your connection. Have you tried a reboot?

When you have your connection back, please do the following.


Please visit the online Virustotal Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    C:\WINDOWS\system32\DRIVERS\IASTOR.SYS


  • The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users