Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect Problem


  • This topic is locked This topic is locked
22 replies to this topic

#1 Shadowbeast368

Shadowbeast368

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 17 February 2010 - 08:38 PM

I've been having the problem now with the results from searches being redirected. I've tried to fix it my self using scanners like Spybot, Adaware, AVG, McAffee and nothing seems to help.
I've given up on the situation for a while, but after reading so much about it I fear that my computer could be in a lot of trouble. I've attached my HijackThis log if anyone can help.

Thanks,
Shadowbeast

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:12 AM

Posted 20 February 2010 - 01:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Shadowbeast368

Shadowbeast368
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 20 February 2010 - 10:54 PM

Thanks so much for the reply, I greatly appreciate it considering how much traffic you guys get on here.
I ran the scan, and attached the two files, hope that works for you.

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:12 AM

Posted 21 February 2010 - 08:50 AM

Hi

please run gmer next:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

As well as Kenco.exe:
Please download Kenco.exe and save it to your desktop.
  • Double-click on Kenco.exe to run it (if you get a security warning, click run).
  • You will see a black command window and shortly a logfile will be opened. Note - Kenco.log will be saved on your desktop.
  • In order to complete the cleaning process, Kenco.exe may need to reboot your computer.
Please copy/paste the contents of kenco.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Shadowbeast368

Shadowbeast368
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 21 February 2010 - 03:28 PM

Okay, here's my gmer log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-21 13:30:35
Windows 6.0.6002 Service Pack 2
Running: 9fo436sz.exe; Driver: C:\Users\Phillips\AppData\Local\Temp\pxlyakod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8AAC8CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8AAC8ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8AAC8984]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8AAC90D8]

INT 0x51 ? 879FEBF8
INT 0x72 ? 879FEBF8
INT 0x82 ? 85BEFBF8
INT 0x82 ? 879FEBF8
INT 0x82 ? 85BEFBF8
INT 0x92 ? 879FEBF8
INT 0xA2 ? 85BEBBF8
INT 0xA2 ? 879FEBF8
INT 0xA2 ? 879FEBF8
INT 0xA2 ? 85BEBBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 209 824C396C 8 Bytes [DE, 8C, AC, 8A, D0, 8E, AC, ...]
.text ntkrnlpa.exe!KeSetEvent + 621 824C3D84 4 Bytes [84, 89, AC, 8A]
.text ntkrnlpa.exe!KeSetEvent + 6E5 824C3E48 4 Bytes [D8, 90, AC, 8A]
? System32\Drivers\spre.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8F55E41B 5 Bytes JMP 879FE1D8
.text a9vhaev2.SYS 8AD7E000 22 Bytes [82, 73, 7D, 82, 6C, 72, 7D, ...]
.text a9vhaev2.SYS 8AD7E017 105 Bytes [00, 32, 57, B9, 82, 3D, 55, ...]
.text a9vhaev2.SYS 8AD7E081 53 Bytes [CA, 45, 82, 98, DE, 4B, 82, ...]
.text a9vhaev2.SYS 8AD7E0B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a9vhaev2.SYS 8AD7E0CE 80 Bytes [00, 00, 26, 00, 00, 00, E0, ...]
.text ...
? C:\Users\Phillips\AppData\Local\Temp\ALSysIO.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [82A99D7A] \SystemRoot\System32\Drivers\spre.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [749B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A0A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [749BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [749AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [749B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [749E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [749BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74A3CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [749DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [749AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [749B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85BF21F8
Device \FileSystem\fastfat \FatCdrom 85AD1500
Device \Driver\volmgr \Device\VolMgrControl 85BED1F8
Device \Driver\usbuhci \Device\USBPDO-0 877431F8
Device \Driver\usbuhci \Device\USBPDO-1 877431F8
Device \Driver\usbuhci \Device\USBPDO-2 877431F8
Device \Driver\usbehci \Device\USBPDO-3 879FF1F8
Device \Driver\usbuhci \Device\USBPDO-4 877431F8
Device \Driver\PCI_PNP4464 \Device\00000055 spre.sys

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 877431F8
Device \Driver\usbuhci \Device\USBPDO-6 877431F8
Device \Driver\USBSTOR \Device\00000070 884081F8
Device \Driver\volmgr \Device\HarddiskVolume1 85BED1F8
Device \Driver\usbehci \Device\USBPDO-7 879FF1F8
Device \Driver\USBSTOR \Device\00000071 884081F8
Device \Driver\volmgr \Device\HarddiskVolume2 85BED1F8
Device \Driver\cdrom \Device\CdRom0 87A4F500
Device \Driver\iaStor \Device\Ide\iaStor0 [8A8FC6D0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8A8FC6D0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\volmgr \Device\HarddiskVolume3 85BED1F8
Device \Driver\cdrom \Device\CdRom1 87A4F500
Device \Driver\volmgr \Device\HarddiskVolume4 85BED1F8
Device \Driver\volmgr \Device\HarddiskVolume5 85BED1F8
Device \Driver\sptd \Device\941295714 spre.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{145E2D38-B0E5-4A6C-8086-A91A3B2D9133} 884EC1F8
Device \Driver\volmgr \Device\HarddiskVolume6 85BED1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 884EC1F8
Device \Driver\Smb \Device\NetbiosSmb 883D51F8
Device \Driver\iScsiPrt \Device\RaidPort0 87D901F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 877431F8
Device \Driver\USBSTOR \Device\0000006d 884081F8
Device \Driver\usbuhci \Device\USBFDO-1 877431F8
Device \Driver\USBSTOR \Device\0000006e 884081F8
Device \Driver\usbuhci \Device\USBFDO-2 877431F8
Device \Driver\USBSTOR \Device\0000006f 884081F8
Device \Driver\usbehci \Device\USBFDO-3 879FF1F8
Device \Driver\usbuhci \Device\USBFDO-4 877431F8
Device \Driver\usbuhci \Device\USBFDO-5 877431F8
Device \Driver\usbuhci \Device\USBFDO-6 877431F8
Device \Driver\usbehci \Device\USBFDO-7 879FF1F8
Device \Driver\a9vhaev2 \Device\Scsi\a9vhaev21Port3Path0Target0Lun0 87D911F8
Device \Driver\iteatapi \Device\Scsi\iteatapi1 85BF11F8
Device \Driver\a9vhaev2 \Device\Scsi\a9vhaev21 87D911F8
Device \Driver\iteatapi \Device\Scsi\iteatapi1Port1Path0Target0Lun0 85BF11F8
Device \FileSystem\fastfat \Fat 85AD1500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [392] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\Dwm.exe [572] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\rundll32.exe [580] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [652] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [740] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\lsass.exe [768] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\lsm.exe [780] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\winlogon.exe [1104] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1128] 0x6C1B0000
Library C:\Program (*** hidden *** ) @ C:\Windows\Explorer.EXE [1128] 0x6C330000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1200] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\nvvsvc.exe [1248] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\taskeng.exe [1256] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1280] 0x6C1B0000
Library C:\Windows\System32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1428] 0x6C1B0000
Library C:\Windows\System32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1452] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1464] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1656] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1728] 0x6C1B0000
Library C:\Windows\System32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\System32\spoolsv.exe [1804] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\nvvsvc.exe [1832] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1856] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1976] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\taskeng.exe [2160] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2348] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [2456] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe [2616] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\agrsmsvc.exe [2672] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [2684] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2740] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [3008] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe [3028] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [3056] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [3104] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [3192] 0x6C1B0000
Library C:\Windows\System32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [3248] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [3300] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\SearchIndexer.exe [3428] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [3608] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [3668] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\system32\WUDFHost.exe [4068] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe [4292] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\WINDOWS\ehome\ehtray.exe [4376] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgrsx.exe [4468] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\ehome\ehmsas.exe [4484] 0x6C1B0000
Library C:\Windows\System32\avgrsstx.dll (*** hidden *** ) @ C:\Windows\System32\mobsync.exe [4664] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgemc.exe [4816] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgchsvx.exe [5148] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgnsx.exe [5192] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgwdsvc.exe [5560] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgam.exe [5700] 0x6C1B0000
Library C:\Windows\system32\avgrsstx.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [5744] 0x6C1B0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----

#6 Shadowbeast368

Shadowbeast368
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 21 February 2010 - 03:29 PM

And this is all that I got from the Kenco scan


Kenco by jpshortstuff (31.12.09.1)
Log created at 13:31 on 21/02/2010 (Phillips)

========== Task Unlocker ==========
C:\Windows\Tasks\VEPQVBGJZ.job -> Unlocked!

========== KencoScan ==========

========== C:\Windows\Tasks ==========
Ad-Aware Update (Daily 1).job -> [18:00 19/02/2010] 370 bytes
Ad-Aware Update (Daily 2).job -> [18:00 19/02/2010] 370 bytes
Ad-Aware Update (Daily 3).job -> [18:00 19/02/2010] 370 bytes
Ad-Aware Update (Daily 4).job -> [18:00 19/02/2010] 370 bytes
Ad-Aware Update (Weekly).job -> [18:00 19/02/2010] 370 bytes
VEPQVBGJZ.job -> [19:27 08/12/2009] 308 bytes
{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job -> [19:28 08/12/2009] 294 bytes
{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job -> [19:28 08/12/2009] 294 bytes

-=E.O.F=-

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:12 AM

Posted 21 February 2010 - 04:31 PM

Hi,

the kenco log looks good. But we need to run gmer again:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Afterwards please run a new scan with gmer and post the log here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Shadowbeast368

Shadowbeast368
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 21 February 2010 - 07:57 PM

I ran the Defogger and everything, and that went okay with no errors. But when I ran the Gmer scan again, it ends up crashing part of the way through.
I turned off all of my security programs and disconnected from the internet like the first time. I even tried running it in safe mode and it did the same thing.
When I try to run it again afterwords, I get the blue error screen, and it says something about a memory dump or something.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:12 AM

Posted 22 February 2010 - 12:41 PM

Hi,

please deselect the devices option in gmer and try running it again. Let me know if it still crashes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Shadowbeast368

Shadowbeast368
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 22 February 2010 - 04:10 PM

Okay, I disabled devices and ran the scan again, and it worked fine. I also figured out how to fully disable AVG which I did also before I ran the scan.
Maybe that helped too. Here's the gmer.log


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-22 16:06:29
Windows 6.0.6002 Service Pack 2
Running: 9fo436sz.exe; Driver: C:\Users\Phillips\AppData\Local\Temp\pxlyakod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x831B8CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x831B8ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x831B8984]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x831B90D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 209 824B096C 8 Bytes [DE, 8C, 1B, 83, D0, 8E, 1B, ...]
.text ntkrnlpa.exe!KeSetEvent + 621 824B0D84 4 Bytes [84, 89, 1B, 83]
.text ntkrnlpa.exe!KeSetEvent + 6E5 824B0E48 4 Bytes [D8, 90, 1B, 83]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74667817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746BA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7466BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7465F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746675E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7465E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74698395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7466DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7465FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7465FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746571CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [746ECAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7468C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7465D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74656853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7465687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74662AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x06 0x45 0xB6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6D 0x98 0x05 0x70 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x9C 0x28 0x16 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:12 AM

Posted 22 February 2010 - 06:04 PM

Hi,
please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Shadowbeast368

Shadowbeast368
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 22 February 2010 - 06:44 PM

ComboFix 10-02-21.02 - Phillips 02/22/2010 18:27:11.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3053.2046 [GMT -5:00]
Running from: c:\users\Phillips\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3815173418-2198697303-2537330237-500
C:\install.exe
c:\program files\IEToolbar
c:\windows\system32\stacsv.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 23:35 . 2010-02-22 23:35 -------- d-----w- c:\users\Phillips\AppData\Local\temp
2010-02-21 20:53 . 2010-02-21 20:38 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-02-21 20:53 . 2010-02-21 20:38 12464 ----a-w- c:\programdata\avg9\update\backup\avgrsstx.dll
2010-02-21 20:53 . 2010-02-21 20:38 502040 ----a-w- c:\programdata\avg9\update\backup\avgrsx.exe
2010-02-21 20:50 . 2010-02-21 20:38 877848 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-02-21 20:50 . 2010-02-21 20:38 798488 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-02-21 20:50 . 2010-02-21 20:38 610072 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-02-21 20:50 . 2010-02-21 20:38 1657112 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-02-21 20:38 . 2010-02-21 20:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-18 01:00 . 2010-02-18 01:00 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-02-18 00:55 . 2010-02-18 00:55 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-18 00:55 . 2010-02-18 01:00 -------- d-----w- c:\programdata\Hitman Pro
2010-02-18 00:55 . 2010-02-18 00:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-02-14 00:55 . 2010-02-14 00:55 -------- d-----w- c:\program files\Common Files\Apple
2010-02-14 00:55 . 2010-02-14 00:55 -------- d-----w- c:\program files\Apple Software Update
2010-02-08 18:12 . 2010-02-08 18:12 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-08 00:06 . 2010-02-08 00:06 -------- d-----w- C:\found.000
2010-02-07 10:57 . 2010-02-07 10:57 -------- d-----w- c:\users\Phillips\AppData\Local\Microsoft Corporation
2010-02-07 07:39 . 2010-02-07 07:39 -------- d-----w- c:\users\Phillips\AppData\Local\Threat Expert
2010-02-07 07:34 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-07 07:34 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-07 07:34 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-07 07:34 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-07 07:34 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-07 07:34 . 2010-02-21 20:49 -------- d-----w- c:\program files\Spyware Doctor
2010-02-07 07:34 . 2010-02-07 07:34 -------- d-----w- c:\users\Phillips\AppData\Roaming\PC Tools
2010-02-07 07:34 . 2010-02-07 07:34 -------- d-----w- c:\programdata\PC Tools
2010-02-07 05:33 . 2010-02-07 05:49 -------- d-----w- c:\users\Phillips\AppData\Roaming\Registry Mechanic
2010-02-07 05:26 . 2004-08-04 13:00 506368 ----a-w- c:\windows\system32\msxml.dll
2010-02-07 05:26 . 2010-02-07 07:36 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-07 05:16 . 2010-02-07 17:46 -------- d-----w- C:\Speedfan
2010-01-28 10:20 . 2010-01-28 10:20 -------- d-----w- C:\Games
2010-01-28 09:18 . 2010-01-28 10:24 -------- d-----w- C:\Activision
2010-01-28 02:44 . 2010-01-28 02:49 -------- d-----w- c:\users\Phillips\AppData\Roaming\AVS4YOU
2010-01-28 02:44 . 2010-01-28 02:44 -------- d-----w- c:\programdata\AVS4YOU
2010-01-28 02:44 . 2010-01-28 03:01 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-28 02:44 . 2003-05-21 17:50 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-28 02:44 . 2010-01-28 03:01 -------- d-----w- c:\program files\AVS4YOU
2010-01-28 02:44 . 2002-01-05 20:48 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-01-28 02:44 . 2002-01-05 19:40 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-01-28 02:39 . 2010-01-28 02:39 -------- d-----w- c:\users\Phillips\AppData\Roaming\NCH Software
2010-01-28 02:39 . 2009-01-29 16:13 42003 ----a-w- c:\users\Phillips\AppData\Roaming\NCH Software\Components\ffmpeg4\avutil-49.dll
2010-01-28 02:39 . 2009-01-29 16:13 2660371 ----a-w- c:\users\Phillips\AppData\Roaming\NCH Software\Components\ffmpeg4\avcodec-52.dll
2010-01-28 02:39 . 2009-01-29 16:13 5632 ----a-w- c:\users\Phillips\AppData\Roaming\NCH Software\Components\ffmpeg4\avdevice-52.dll
2010-01-28 02:39 . 2009-01-29 16:13 444435 ----a-w- c:\users\Phillips\AppData\Roaming\NCH Software\Components\ffmpeg4\avformat-52.dll
2010-01-28 02:36 . 2010-01-28 02:36 -------- d-----w- c:\program files\Combined Community Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 23:22 . 2009-09-17 06:55 181886 ----a-w- c:\programdata\nvModes.dat
2010-02-22 21:42 . 2010-01-21 03:30 0 ----a-w- c:\users\Phillips\AppData\Local\prvlcl.dat
2010-02-21 20:55 . 2009-12-19 19:34 -------- d-----w- c:\users\Phillips\AppData\Roaming\Dropbox
2010-02-21 20:52 . 2009-12-10 01:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 20:52 . 2009-12-10 01:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-21 20:37 . 2009-12-10 01:16 -------- d-----w- c:\programdata\avg9
2010-02-20 02:38 . 2009-08-06 00:36 -------- d-----w- c:\users\Phillips\AppData\Roaming\BitTorrent
2010-02-17 22:23 . 2009-06-27 07:24 -------- d-----w- c:\users\Phillips\AppData\Roaming\gtk-2.0
2010-02-14 00:56 . 2009-09-18 23:21 -------- d-----w- c:\program files\QuickTime
2010-02-10 20:09 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-07 23:55 . 2009-10-15 13:09 -------- d-----w- c:\program files\MSECACHE
2010-02-07 23:52 . 2007-11-05 03:53 -------- d-----w- c:\program files\Serif
2010-02-07 23:46 . 2008-01-24 19:46 -------- d-----w- c:\program files\PICgrabber G2
2010-02-07 12:24 . 2007-11-04 20:50 -------- d-----w- c:\programdata\NVIDIA
2010-02-07 12:23 . 2009-09-17 06:51 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-07 12:17 . 2007-11-04 20:50 124360 ----a-w- c:\users\Phillips\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-07 12:10 . 2007-11-04 21:07 -------- d-----w- c:\programdata\Microsoft Help
2010-02-07 12:09 . 2007-11-04 21:08 -------- d-----w- c:\program files\Microsoft Works
2010-02-07 12:01 . 2007-11-04 21:25 -------- d-----w- c:\users\Phillips\AppData\Roaming\DisplayTune
2010-02-07 12:00 . 2007-11-14 03:03 -------- d-----w- c:\program files\EA SPORTS
2010-02-07 11:26 . 2007-11-19 16:57 -------- d-----w- c:\program files\Yahoo!
2010-02-07 11:26 . 2007-11-23 05:08 -------- d-----w- c:\users\Phillips\AppData\Roaming\Yahoo!
2010-02-07 11:25 . 2009-04-25 04:52 -------- d-----w- c:\program files\Pando Networks
2010-02-07 11:03 . 2007-11-04 23:02 -------- d-----w- c:\program files\Common Files\aol
2010-02-07 07:34 . 2009-12-09 04:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-04 18:53 . 2009-12-10 02:26 389784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-04 18:53 . 2009-12-10 02:25 3803208 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-04 18:53 . 2009-12-10 02:25 823928 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-04 18:53 . 2009-12-10 02:25 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-29 20:19 . 2007-11-04 21:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-29 00:10 . 2009-07-11 09:43 -------- d-----w- c:\program files\Acoustica Beatcraft
2010-01-29 00:10 . 2009-07-11 09:43 -------- d-----w- c:\program files\Acoustica Shared Effects
2010-01-28 03:05 . 2008-01-16 23:15 2708 ----a-w- c:\users\Phillips\AppData\Local\d3d9caps.dat
2010-01-27 11:48 . 2009-12-10 02:26 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 11:48 . 2009-12-10 02:26 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 11:48 . 2009-12-10 02:26 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 11:48 . 2009-12-10 02:26 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 11:48 . 2009-12-09 08:04 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 11:48 . 2009-12-10 02:26 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 11:48 . 2009-12-10 02:26 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 11:48 . 2009-12-10 02:26 8 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 11:48 . 2009-12-10 02:25 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 11:47 . 2009-12-10 02:25 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 11:47 . 2009-12-10 02:25 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 11:47 . 2009-12-10 02:25 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 11:47 . 2009-12-10 02:25 816784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 11:47 . 2009-12-10 02:25 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 11:47 . 2009-12-10 02:25 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-22 05:27 . 2009-10-30 18:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 15:01 . 2007-11-05 00:35 11168 ----a-w- c:\users\Phillips\AppData\Roaming\wklnhst.dat
2010-01-12 23:18 . 2010-01-12 23:18 -------- d-----w- c:\users\Phillips\AppData\Roaming\AVG9
2010-01-12 03:18 . 2010-01-12 03:18 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-12 03:18 . 2010-01-12 03:18 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:18 . 2010-01-12 03:18 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-12 03:18 . 2010-01-12 03:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-02 06:38 . 2010-01-22 04:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 04:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 04:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 04:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-25 02:32 . 2009-12-25 02:32 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-25 02:32 . 2005-09-07 21:32 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-12-25 02:32 . 2005-09-07 21:29 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-12-25 02:19 . 2009-12-25 02:19 -------- d-----w- c:\program files\Common Files\Real
2009-12-25 02:19 . 2009-12-25 02:19 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-25 02:19 . 2009-12-25 02:19 -------- d-----w- c:\program files\Real
2009-12-19 19:34 . 2009-12-19 19:34 89860 ----a-w- c:\users\Phillips\AppData\Roaming\Dropbox\bin\Uninstall.exe
2009-12-17 22:45 . 2009-12-17 22:45 21958016 ----a-w- c:\users\Phillips\AppData\Roaming\Dropbox\bin\Dropbox.exe
2009-12-11 11:43 . 2010-02-10 10:20 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 10:20 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-10 01:16 . 2009-12-10 01:16 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-10 01:16 . 2009-12-10 01:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-09 01:19 . 2009-12-09 01:19 94208 ----a-w- c:\users\Phillips\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
2009-12-08 20:01 . 2010-02-10 10:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 10:20 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 10:20 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 10:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-06 03:23 . 2009-12-06 03:23 10134 ----a-r- c:\users\Phillips\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-12-04 18:30 . 2010-02-10 10:20 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 10:20 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 10:20 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 10:20 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 10:20 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 10:20 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 10:20 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 10:20 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 10:20 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 10:20 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 10:20 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-27 07:04 . 2009-06-27 06:53 2516 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Phillips\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Phillips\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Phillips\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Core Temp"="c:\users\Phillips\Desktop\Stuff\More Stuff\CoreTemp\Core Temp.exe" [2009-08-05 378384]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-25 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2009-11-25 104408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-04 40072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux6"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Phillips^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blubster
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM_IAN
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Turbine Download Manager Tray Icon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2007-04-11 07:04 50736 ----a-w- c:\program files\AOL 9.0a\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
2006-11-17 00:04 2348584 ----a-w- c:\program files\BigFix\bigfix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
2007-04-06 22:11 215512 ----a-w- c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2007-12-29 09:43 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT GWY]
2007-08-07 16:24 298496 ----a-w- c:\program files\Gateway\EzTune\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\aol\1194217385\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 21:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2006-09-06 20:12 323216 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
2007-04-06 22:07 439768 ----a-w- c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-12 03:18 13679720 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 03:18 110696 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2010-01-12 03:18 962664 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
2007-02-09 17:17 694008 ----a-w- c:\program files\Portrait Displays\Pivot Software\wpCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-03-01 02:56 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-07-13 05:27 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-25 02:19 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScannerPro]
2007-01-29 21:02 62976 ----a-w- c:\progra~1\VCOM\Fix-It\MemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ec,e5,e0,10,e0,ef,c9,01

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [12/9/2009 8:16 PM 161800]
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/9/2009 1:53 AM 64288]
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [2/7/2010 2:34 AM 207792]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [12/9/2009 8:16 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\System32\drivers\avgtdix.sys [12/9/2009 8:16 PM 360584]
R2 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [4/6/2007 5:07 PM 313816]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [2/18/2007 11:34 PM 5376]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2/7/2010 12:26 AM 583640]
R2 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\QualityManager.exe [4/6/2007 5:10 PM 272856]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [12/8/2009 11:38 PM 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [11/4/2007 4:00 PM 5504]
R3 L6TPortGX;Service - Line 6 TonePort GX;c:\windows\System32\drivers\L6TPortGX.sys [1/6/2009 6:22 PM 530816]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1181328]
S3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [4/6/2007 5:08 PM 39896]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\System32\drivers\mr97310c.sys [3/27/2008 6:14 AM 116992]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/7/2010 2:34 AM 359624]
S4 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/9/2009 8:16 PM 906520]
S4 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/21/2010 3:52 PM 285392]
S4 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2/12/2007 1:46 PM 208896]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [7/15/2009 4:53 AM 715248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: line6.net
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Phillips\AppData\Roaming\Mozilla\Firefox\Profiles\y77itn4h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{7EFBC57C-CD57-481F-B794-648FCE9C9116} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-hmonitor - c:\program files\Hmonitor\hmonitor.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-hmonitor - c:\program files\Hmonitor\hmonitor.exe
MSConfigStartUp-NeoChronos - c:\users\Phillips\AppData\Local\Temp\a.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 18:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096A\5&1bf1ad19&0&UID257\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096A\5&1bf1ad19&0&UID257\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096A\5&b0c3a2c&0&UID16777473\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096A\5&b0c3a2c&0&UID16777473\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096A\5&b0c3a2c&0&UID257\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096A\5&b0c3a2c&0&UID257\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&1bf1ad19&0&12345678&01&00\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&1bf1ad19&0&12345678&01&00\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&1bf1ad19&0&UID272\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&1bf1ad19&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&b0c3a2c&0&UID16777488\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&b0c3a2c&0&UID16777488\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&b0c3a2c&0&UID272\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GWY096B\5&b0c3a2c&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
Completion time: 2010-02-22 18:38:04
ComboFix-quarantined-files.txt 2010-02-22 23:38

Pre-Run: 271,738,548,224 bytes free
Post-Run: 277,289,586,688 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 35F8C55527C9A8E6DA0B75DF83F4194C


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:12 AM

Posted 22 February 2010 - 06:59 PM

Hi,

are you currently still getting redirected? I see that you ran hitmanpro, did that take care of your problem?

Please run tdsskiller next:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Shadowbeast368

Shadowbeast368
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 22 February 2010 - 09:21 PM

Wow, I've tried my google search and yahoo search multiple times just now and it worked everytime. I can recall recently that it would work, but I always thought it wouldn't let me go to pages that I usually go to or related ones.
Even when it started links would work sometimes, but that's when it was something that wasn't commonly searched before. But now it works for anything I searched. I remember running hitman pro not that long ago, but I didn't think it worked then.

Should I still continue on and download tdskiller?

Edited by Shadowbeast368, 22 February 2010 - 09:22 PM.


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:12 AM

Posted 23 February 2010 - 12:47 PM

Hi,

please run TDSSKiller as a check. But if you no longer get redirected, I expect that the infection is cleaned.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users