Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
25 replies to this topic

#1 Liv2h2oski

Liv2h2oski

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 26 February 2010 - 12:34 PM

The problem that I am having is when I use Internet Explorer 7 it redirects me to a different website, typically a different website everytime. I did have the Antivirus Soft scareware virus on here and that is when I first noticed IE acting funny. I found a link to manually clean off the Antivirus Soft and completed it successfully, but still had the IE redirect problem. So I have since tried a few things, malewarebyets, spybot, avria antivirus, and found some virus's and malware which has been removed already. I am at the end of ideas, so I am posting here.

I have did the HijackThis and also the Startuplist logs and posted both of them here... I posted the Startuplist, becuase the Wininit.ini file looks suspicous to me, and sounds like it might be related to the problem I am having.

Thank you for your help!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:01 AM, on 2/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TRAVISS\Desktop\Hijack-This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.machinetoolandequip.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [\\NANCY2\EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P33 "\\Nancy2\EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R1800 on NANCY2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P39 "Auto EPSON Stylus Photo R1800 on NANCY2" /O20 "\\NANCY2\StylusR1800" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\TRAVISS\LOCALS~1\TEMPOR~1\Content.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\151~1.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\02.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\6AA92~1.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\122.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\134.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\r01.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\SHERID~2.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\trailer0.SH! C:\DOCUME~1\TRAVISS\LOCALS~1\History\History.SH!
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...indows-i586.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\0035.DLL
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14408 bytes



-----------------------------------------------------------------------------
STARTUPLIST.TXT



StartupList report, 2/26/2010, 12:19:01 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\TRAVISS\Desktop\Hijack-This.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16981)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TRAVISS\Desktop\Hijack-This.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint\Apoint.exe
IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
RoxioDragToDisc = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
Logitech Utility = Logi_MwX.Exe
\\NANCY2\EPSON Stylus Photo R1800 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P33

"\\Nancy2\EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
Auto EPSON Stylus Photo R1800 on NANCY2 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE

/P39 "Auto EPSON Stylus Photo R1800 on NANCY2" /O20 "\\NANCY2\StylusR1800" /M "Stylus Photo R1800"
dscactivate = "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
Logitech Hardware Abstraction Layer = KHALMNPR.EXE
DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mcagent_exe = "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
Act.Outlook.Service = "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
Act! Preloader = "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

DellSupport = "C:\Program Files\DellSupport\DSAgnt.exe" /startup
DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot

1
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

DelayShred = "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\TRAVISS\LOCALS~1

\TEMPOR~1\Content.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\151~1.SH!

C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\02.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1

\ORGANIZE\TRAVIS~1\MYDESK~1\Other\6AA92~1.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1

\MYDESK~1\Other\122.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\134.SH!

C:\DOCUME~1\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\r01.SH! C:\DOCUME~1

\TRAVISS\MYDOCU~1\ORGANIZE\TRAVIS~1\MYDESK~1\Other\SHERID~2.SH! C:\DOCUME~1\TRAVISS\MYDOCU~1

\ORGANIZE\TRAVIS~1\MYDESK~1\Other\trailer0.SH! C:\DOCUME~1\TRAVISS\LOCALS~1\History\History.SH!

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\0035.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-

B87D-784B7D6BE0B3}
(no name) - c:\program files\real\realplayer\rpbrowserrecordplugin.dll - {3049C3E9-B461-4BC5-8870

-4C09146192CA}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll - {7DB2D5A0-7241-4E79-B68D-

6309F01C5231}
(no name) - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - {B164E929-A1B6-4A06-B104-2CD0E90A88FF}
(no name) - mscoree.dll (file missing) - {D5233FCD-D258-4903-89B8-FB1568E7413D}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-

17CE-4C07-BC86-EABFE594F69C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job
ISP signup reminder 1.job
McAfee.com Scan for Viruses - My Computer (TRAVIS-TRAVISS).job
McDefragTask.job
McQcTask.job
Norton Security Scan for TRAVISS.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.dll
CODEBASE = http://download.microsoft.com/download/e/7...80aa-4488-ae10-

9ac6be844f99/OGAControl.cab

[Facebook Photo Uploader 5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx
CODEBASE = http://upload.facebook.com/controls/2008.1...toUploader5.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Adobe\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=48835

[Snapfish Activia]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://photo.walgreens.com/WalgreensActivia.cab

[Facebook Photo Uploader 4 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx
CODEBASE = http://upload.facebook.com/controls/Facebo...toUploader3.cab

[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/Facebo...otoUploader.cab

[Facebook Photo Uploader 5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx
CODEBASE = http://upload.facebook.com/controls/2009.0...oUploader55.cab

[Java Plug-in 1.6.0_18]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jin...indows-i586.cab

[FujifilmUploader Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FujifilmUploadClient.dll
CODEBASE = http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc4.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Facebook Photo Uploader 4]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader4_5.ocx
CODEBASE = http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752

\swg30.tmp||C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\gtn31.tmp||C:\Program

Files\Google\GoogleToolbarNotifier\5.4.4525.1752\gth32.tmp||C:\Program

Files\Google\GoogleToolbarNotifier\5.4.4525.1752||C:\Program

Files\Google\GoogleToolbarNotifier\swg-5.3.4501.1418||C:\Program

Files\Google\GoogleToolbarNotifier\swg-5.4.4525.1752||C:\Program

Files\Google\GoogleToolbarNotifier\5.4.4525.1752||C:\Program

Files\Google\GoogleToolbarNotifier\swg-5.3.4501.1418||C:\Program

Files\Google\GoogleToolbarNotifier\swg-5.4.4525.1752||C:\Program

Files\Google\GoogleToolbarNotifier\Goo33.tmp||C:\Program

Files\Google\GoogleToolbarNotifier||C:\DOCUME~1\TRAVISS\LOCALS~1\Temp\Google

Toolbar\inu36.tmp||C:\DOCUME~1\TRAVISS\LOCALS~1\Temp\gus35.tmp||C:\DOCUME~1\TRAVISS\LOCALS~1

\Temp\Google Toolbar\inu37.tmp||C:\Program Files\Google


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 14,115 bytes
Report generated in 0.170 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Edited by Liv2h2oski, 26 February 2010 - 02:53 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:05 PM

Posted 28 February 2010 - 05:10 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 08:53 AM

Hi m0Le,
Thank you for your help. I should mention over the weekend I noticed the pinned email about running the DDS, GMER instructions so I procedded to do that Saturday and have the logs if you need them. But I have not done any work since then, sorry if that creates any type of problem.
Thank you for you help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:05 PM

Posted 01 March 2010 - 01:39 PM

Yes, I would like the DDS/Defogger/Gmer combo posted.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 01:58 PM

Hi m0Le,
I beleive these are the lists that you are looking for.
Thank you


DDS TEXT

DDS (Ver_09-12-01.01) - NTFSx86
Run by TRAVISS at 16:36:49.35 on Sat 02/27/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1045 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TRAVISS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.machinetoolandequip.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [DelayShred] "c:\program files\mcafee.com\shredder\shred32.exe" /q c:\docume~1\traviss\locals~1\tempor~1\content.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\151~1.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\02.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\6aa92~1.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\122.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\134.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\r01.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\sherid~2.sh! c:\docume~1\traviss\mydocu~1\organize\travis~1\mydesk~1\other\trailer0.sh! c:\docume~1\traviss\locals~1\history\History.SH!
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [\\NANCY2\EPSON Stylus Photo R1800] c:\windows\system32\spool\drivers\w32x86\3\e_fati9la.exe /p33 "\\nancy2\EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
mRun: [Auto EPSON Stylus Photo R1800 on NANCY2] c:\windows\system32\spool\drivers\w32x86\3\e_fati9la.exe /p39 "auto epson stylus photo r1800 on nancy2" /o20 "\\nancy2\StylusR1800" /M "Stylus Photo R1800"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\windows\system32\0035.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-5 214664]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-1 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-18 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-5 144704]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-5 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-5 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-5 40552]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-7-22 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-11 133104]
S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2007-11-5 34639]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [2007-8-28 191104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-5 34248]
S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\dellsu~2\hwdiag\bin\PCD5SRVC.pkms [2007-12-5 20640]
S3 USB-100;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2007-3-5 23938]
S3 VmbInfce;VmbInfce;c:\windows\system32\drivers\vmbinfce.sys [2007-1-29 95104]

=============== Created Last 30 ================

2010-02-27 22:31:31 0 ----a-w- c:\documents and settings\traviss\defogger_reenable
2010-02-26 21:02:55 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-26 21:02:55 1409 ----a-w- c:\windows\QTFont.for
2010-02-26 19:32:13 0 d-sha-r- C:\autorun.inf
2010-02-25 22:33:27 0 d-----w- c:\windows\pss
2010-02-23 02:06:15 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-23 01:49:35 0 d-----w- c:\docume~1\traviss\applic~1\AVG8
2010-02-22 17:47:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-22 05:46:17 0 d-----w- c:\docume~1\traviss\applic~1\Malwarebytes
2010-02-22 05:46:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 05:46:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 05:46:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-22 05:46:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 04:45:50 15872 --sha-w- C:\Thumbs.db
2010-02-22 04:45:46 7680 --sha-w- c:\windows\Thumbs.db
2010-02-21 01:06:52 0 d-----w- c:\docume~1\traviss\applic~1\Office Genuine Advantage
2010-02-14 18:53:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-14 18:53:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-14 18:51:40 0 d-----w- c:\docume~1\traviss\applic~1\Octoshape

==================== Find3M ====================

2010-02-27 22:21:01 1056 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-04-07 22:59:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040720090408\index.dat

============= FINISH: 16:38:19.50 ===============



GMER TEXT


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-27 22:00:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TRAVISS\LOCALS~1\Temp\pwddipob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB0EC578A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB0EC5821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB0EC5738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB0EC574C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB0EC5835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB0EC5861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB0EC58CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB0EC58B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB0EC57CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB0EC58FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB0EC580D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB0EC5710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB0EC5724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB0EC579E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB0EC5937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB0EC58A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB0EC588D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB0EC584B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB0EC5923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB0EC590F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB0EC5776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB0EC5762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB0EC5877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB0EC57F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB0EC58E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB0EC57E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB0EC57B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F746DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F746DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F746DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F746DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\cdudf_xp \Device\CdUdf_XP tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 06 - Honky Tonk Man.mp3 2170880 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 01 - North to Alaska.mp3 2764800 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 02 - The Battle of New Orleans.mp3 2469888 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 03 - When It's Springtime in Alaska (It's Forty Below).mp3 2547712 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 04 - Johnny Reb.mp3 2295808 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 05 - I'm Coming Home.mp3 2050048 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 07 - Sink the Bismarck.mp3 3137536 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 08 - All for the Love of a Girl.mp3 2717696 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 09 - The Mansion You Stole.mp3 3024896 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 10 - I'm Ready If You're Willing.mp3 2256896 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 11 - The Jim Bridger Story.mp3 2435072 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 12 - I'm a One Woman Man.mp3 1951744 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 13 - Sleepy-Eyed John.mp3 2654208 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 14 - They'll Never Take Her Love from Me.mp3 3018752 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 15 - Ole Slew Foot.mp3 2281472 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 16 - All Grown Up.mp3 1886208 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 17 - Sal's Got a Sugarlip.mp3 1679360 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 18 - Whispering Pines.mp3 2885632 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 19 - Johnny Freedom.mp3 2787328 bytes
File C:\Documents and Settings\TRAVISS\My Documents\My Music\Johnny Horton1\America Remembers..\Johnny Horton - 20 - Comanche (The Brave Horse).mp3 3045376 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:05 PM

Posted 01 March 2010 - 02:04 PM

Okay, Gmer has spied the culprit, a modified system file which we can replace with Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 02:55 PM

Here is the list that the Combofix utility made for me. I am not sure if you can tell by this log if my computer is fixed or not? Or if there are any security breech's or anything like that yet?

I just checked and I am still getting the weird search engine redirections...

Thank you againf or your help!




ComboFix 10-03-01.01 - TRAVISS 03/01/2010 13:25:35.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1323 [GMT -6:00]
Running from: c:\documents and settings\TRAVISS\Desktop\ComFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\program files\security toolbar
c:\program files\security toolbar\Uninstall.bat
C:\Thumbs.db
c:\windows\system32\win.ini

.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-26 02:53 . 2010-02-26 02:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-23 02:06 . 2010-02-23 21:21 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-23 01:49 . 2010-02-23 01:49 -------- d-----w- c:\documents and settings\TRAVISS\Application Data\AVG8
2010-02-22 17:47 . 2010-02-22 17:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-22 05:46 . 2010-02-22 05:46 -------- d-----w- c:\documents and settings\TRAVISS\Application Data\Malwarebytes
2010-02-22 05:46 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 05:46 . 2010-02-22 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-22 05:46 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 05:46 . 2010-02-26 02:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 01:06 . 2010-02-21 01:06 -------- d-----w- c:\documents and settings\TRAVISS\Application Data\Office Genuine Advantage
2010-02-14 18:54 . 2010-02-14 18:54 503808 ----a-w- c:\documents and settings\TRAVISS\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7f66b834-n\msvcp71.dll
2010-02-14 18:54 . 2010-02-14 18:54 499712 ----a-w- c:\documents and settings\TRAVISS\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7f66b834-n\jmc.dll
2010-02-14 18:54 . 2010-02-14 18:54 348160 ----a-w- c:\documents and settings\TRAVISS\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7f66b834-n\msvcr71.dll
2010-02-14 18:54 . 2010-02-14 18:54 61440 ----a-w- c:\documents and settings\TRAVISS\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ed93e45-n\decora-sse.dll
2010-02-14 18:54 . 2010-02-14 18:54 12800 ----a-w- c:\documents and settings\TRAVISS\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ed93e45-n\decora-d3d.dll
2010-02-14 18:53 . 2010-02-14 18:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-14 18:51 . 2010-02-14 18:51 -------- d-----w- c:\documents and settings\TRAVISS\Application Data\Octoshape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 13:45 . 2009-07-22 15:34 1056 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-03-01 13:45 . 2009-07-22 15:34 1056 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-26 17:26 . 2005-06-01 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-02-26 17:26 . 2005-03-13 19:07 48 ----a-w- c:\windows\wpd99.drv
2010-02-26 15:36 . 2006-10-20 23:24 -------- d-----w- c:\program files\Google
2010-02-26 13:01 . 2008-10-02 13:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-02-26 05:20 . 2006-11-04 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 04:42 . 2006-11-04 03:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-23 23:48 . 2005-03-16 02:42 -------- d-----w- c:\program files\palmOne
2010-02-19 03:08 . 2005-04-08 13:51 -------- d-----w- c:\program files\McAfee
2010-02-14 18:55 . 2005-02-23 02:29 -------- d-----w- c:\program files\Common Files\Java
2010-02-14 18:53 . 2005-02-23 02:29 -------- d-----w- c:\program files\Java
2010-02-12 22:17 . 2009-12-02 03:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-22 18:22 . 2009-12-06 22:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-22 18:22 . 2010-01-22 18:22 4852064 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\Leapster2Plugin.exe
2010-01-05 10:00 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 1980-01-01 06:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 1980-01-01 06:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-06 22:36 . 2009-12-06 22:36 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-06 22:36 . 2009-12-06 22:36 3106632 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\MyPalsPlugin.exe
2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-07 344064]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-01 1695744]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"\\NANCY2\EPSON Stylus Photo R1800"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE" [2004-09-08 98304]
"Auto EPSON Stylus Photo R1800 on NANCY2"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE" [2004-09-08 98304]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2007-08-13 9728]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2007-08-14 1351680]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-25 198160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2004-09-15 07:01 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 17:43 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1170462763\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-15 00:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-02-29 08:12 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2004-12-22 13:21 823296 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-12-06 04:08 50688 ------w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 17:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG]
2005-08-22 19:31 94208 ----a-w- c:\windows\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 15:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-27 07:04 32768 ----a-w- c:\program files\Roxio\Roxio DVDMax Player\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-25 02:00 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\SYSTEM32\\MPSMC__U.EXE"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Professional\\cuteftppro.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Professional\\ftpte.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170462763\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\palmOne\\Hotsync.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 8:57 PM 206096]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/5/2007 10:58 AM 24652]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [7/22/2009 9:26 AM 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/11/2009 9:56 AM 133104]
S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver;c:\windows\SYSTEM32\DRIVERS\FTD2XX.sys [11/5/2007 10:41 AM 34639]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\SYSTEM32\DRIVERS\kwusb2k.sys [8/28/2007 3:53 PM 191104]
S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [12/5/2007 3:47 PM 20640]
S3 USB-100;SMC Compact USB to Ethernet converter;c:\windows\SYSTEM32\DRIVERS\SMC2208.SYS [3/5/2007 11:35 AM 23938]
S3 VmbInfce;VmbInfce;c:\windows\SYSTEM32\DRIVERS\vmbinfce.sys [1/29/2007 9:32 AM 95104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-11 15:56]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-11 15:56]

2005-03-01 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-05 17:22]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-05 17:22]

2010-02-27 c:\windows\Tasks\Norton Security Scan for TRAVISS.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-21 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.machinetoolandequip.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-DelayShred - c:\program files\McAfee.com\Shredder\SHRED32.EXE
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-TOY5KNQ8OC - c:\docume~1\TRAVISS\LOCALS~1\Temp\Sq1.exe
AddRemove-Audacity_is1 - c:\program files\Audacity\unins000.exe
AddRemove-Broadband Support Center - c:\progra~1\VERIZO~1\SUPPOR~1\Uninstall.exe
AddRemove-HijackThis - c:\documents and settings\TRAVISS\Desktop\HijackThis.exe
AddRemove-Macromedia Shockwave Player - c:\windows\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 13:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8ABFB8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf746db3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
NDIS: Intel® PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7b3abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7b47a21
SendHandler -> NDIS.sys @ 0xf7b2587b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]
"ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3044582922-620248263-3882878578-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-03-01 13:39:24
ComboFix-quarantined-files.txt 2010-03-01 19:39

Pre-Run: 11,508,965,376 bytes free
Post-Run: 11,526,840,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FFFFE053A5CB52C02EC7758F50C592A0


#8 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 03:07 PM

m0Le,
I was just searching using internet explorer, and I am noticing a little RED number "7" on the left of my address line, this is one of the things I notice when I am using google seacrh and click on something directly from the google window.
Just something that I noticed...

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:05 PM

Posted 01 March 2010 - 04:04 PM

Are you still getting redirects?
Posted Image
m0le is a proud member of UNITE

#10 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 04:05 PM

Yes, it seems like i am getting redirected ussaully to sometime of search engine with a number "7" infront of it. I shut down and restarted and everything like that, thinking maybe it needed to be rebooted.

#11 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 04:08 PM

i just did a search on a specific health care provider and when i clicked on there link it directed me to sometypr of health quotes for a different provider not the URL that I clicked on... this is strange...

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:05 PM

Posted 01 March 2010 - 04:23 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    atapi*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#13 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 04:30 PM

SystemLook results


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:24 on 01/03/2010 by TRAVISS (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [04:59 04/08/2004] [04:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\DELL\ATAPI.EXE --a--- 28672 bytes [14:23 27/05/2004] [14:23 27/05/2004] 9C559E4CF8C3B2268818F1F6C6B1EE39
C:\I386\atapi.sys --a--- 95360 bytes [20:19 04/03/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [22:26 07/04/2009] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [19:36 01/03/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:56 28/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys ------ 96512 bytes [06:00 01/01/1980] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--- 95360 bytes [02:18 23/02/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:05 PM

Posted 01 March 2010 - 04:47 PM

Let's see if we can shoot it down with TDSSKiller.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#15 Liv2h2oski

Liv2h2oski
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 01 March 2010 - 04:54 PM

15:52:34:959 2820 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
15:52:34:959 2820 ================================================================================
15:52:34:959 2820 SystemInfo:

15:52:34:959 2820 OS Version: 5.1.2600 ServicePack: 3.0
15:52:34:959 2820 Product type: Workstation
15:52:34:959 2820 ComputerName: TRAVIS2
15:52:34:959 2820 UserName: TRAVISS
15:52:34:959 2820 Windows directory: C:\WINDOWS
15:52:34:959 2820 Processor architecture: Intel x86
15:52:34:959 2820 Number of processors: 1
15:52:34:959 2820 Page size: 0x1000
15:52:34:959 2820 Boot type: Normal boot
15:52:34:959 2820 ================================================================================
15:52:34:979 2820 UnloadDriverW: NtUnloadDriver error 2
15:52:34:979 2820 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:52:35:220 2820 Initialize success
15:52:35:220 2820
15:52:35:220 2820 Scanning Services ...
15:52:35:220 2820 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:52:35:220 2820 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:52:35:220 2820 wfopen_ex: Trying to KLMD file open
15:52:35:220 2820 wfopen_ex: File opened ok (Flags 2)
15:52:35:220 2820 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:52:35:220 2820 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:52:35:220 2820 wfopen_ex: Trying to KLMD file open
15:52:35:220 2820 wfopen_ex: File opened ok (Flags 2)
15:52:35:730 2820 GetAdvancedServicesInfo: Raw services enum returned 445 services
15:52:35:740 2820 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:52:35:740 2820 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:52:35:740 2820
15:52:35:740 2820 Scanning Kernel memory ...
15:52:35:740 2820 Devices to scan: 7
15:52:35:740 2820
15:52:35:740 2820 Driver Name: MXOPSWD
15:52:35:740 2820 IRP_MJ_CREATE : B0DC3DEE
15:52:35:740 2820 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:52:35:740 2820 IRP_MJ_CLOSE : B0DC3DEE
15:52:35:740 2820 IRP_MJ_READ : 804FA88E
15:52:35:740 2820 IRP_MJ_WRITE : 804FA88E
15:52:35:740 2820 IRP_MJ_QUERY_INFORMATION : 804FA88E
15:52:35:740 2820 IRP_MJ_SET_INFORMATION : 804FA88E
15:52:35:740 2820 IRP_MJ_QUERY_EA : 804FA88E
15:52:35:740 2820 IRP_MJ_SET_EA : 804FA88E
15:52:35:740 2820 IRP_MJ_FLUSH_BUFFERS : 804FA88E
15:52:35:740 2820 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:52:35:740 2820 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:52:35:740 2820 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:52:35:740 2820 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:52:35:740 2820 IRP_MJ_DEVICE_CONTROL : B0DC53F0
15:52:35:740 2820 IRP_MJ_INTERNAL_DEVICE_CONTROL : B0DC53CE
15:52:35:740 2820 IRP_MJ_SHUTDOWN : 804FA88E
15:52:35:740 2820 IRP_MJ_LOCK_CONTROL : 804FA88E
15:52:35:740 2820 IRP_MJ_CLEANUP : 804FA88E
15:52:35:740 2820 IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:52:35:740 2820 IRP_MJ_QUERY_SECURITY : 804FA88E
15:52:35:740 2820 IRP_MJ_SET_SECURITY : 804FA88E
15:52:35:740 2820 IRP_MJ_POWER : B0DC481A
15:52:35:740 2820 IRP_MJ_SYSTEM_CONTROL : B0DC5416
15:52:35:740 2820 IRP_MJ_DEVICE_CHANGE : 804FA88E
15:52:35:740 2820 IRP_MJ_QUERY_QUOTA : 804FA88E
15:52:35:740 2820 IRP_MJ_SET_QUOTA : 804FA88E
15:52:35:771 2820 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:52:35:771 2820 sion
15:52:35:771 2820 C:\WINDOWS\system32\DRIVERS\mxopswd.sys - Verdict: Clean
15:52:35:771 2820
15:52:35:771 2820 Driver Name: Disk
15:52:35:771 2820 IRP_MJ_CREATE : F76BDBB0
15:52:35:771 2820 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:52:35:771 2820 IRP_MJ_CLOSE : F76BDBB0
15:52:35:771 2820 IRP_MJ_READ : F76B7D1F
15:52:35:771 2820 IRP_MJ_WRITE : F76B7D1F
15:52:35:771 2820 IRP_MJ_QUERY_INFORMATION : 804FA88E
15:52:35:771 2820 IRP_MJ_SET_INFORMATION : 804FA88E
15:52:35:771 2820 IRP_MJ_QUERY_EA : 804FA88E
15:52:35:771 2820 IRP_MJ_SET_EA : 804FA88E
15:52:35:771 2820 IRP_MJ_FLUSH_BUFFERS : F76B82E2
15:52:35:771 2820 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:52:35:771 2820 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:52:35:771 2820 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:52:35:771 2820 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:52:35:771 2820 IRP_MJ_DEVICE_CONTROL : F76B83BB
15:52:35:771 2820 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76BBF28
15:52:35:771 2820 IRP_MJ_SHUTDOWN : F76B82E2
15:52:35:771 2820 IRP_MJ_LOCK_CONTROL : 804FA88E
15:52:35:771 2820 IRP_MJ_CLEANUP : 804FA88E
15:52:35:771 2820 IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:52:35:771 2820 IRP_MJ_QUERY_SECURITY : 804FA88E
15:52:35:771 2820 IRP_MJ_SET_SECURITY : 804FA88E
15:52:35:771 2820 IRP_MJ_POWER : F76B9C82
15:52:35:771 2820 IRP_MJ_SYSTEM_CONTROL : F76BE99E
15:52:35:771 2820 IRP_MJ_DEVICE_CHANGE : 804FA88E
15:52:35:771 2820 IRP_MJ_QUERY_QUOTA : 804FA88E
15:52:35:771 2820 IRP_MJ_SET_QUOTA : 804FA88E
15:52:35:831 2820 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:52:35:831 2820 sion
15:52:35:831 2820 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:52:35:831 2820
15:52:35:831 2820 Driver Name: USBSTOR
15:52:35:831 2820 IRP_MJ_CREATE : F781C218
15:52:35:831 2820 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:52:35:831 2820 IRP_MJ_CLOSE : F781C218
15:52:35:831 2820 IRP_MJ_READ : F781C23C
15:52:35:831 2820 IRP_MJ_WRITE : F781C23C
15:52:35:831 2820 IRP_MJ_QUERY_INFORMATION : 804FA88E
15:52:35:831 2820 IRP_MJ_SET_INFORMATION : 804FA88E
15:52:35:831 2820 IRP_MJ_QUERY_EA : 804FA88E
15:52:35:831 2820 IRP_MJ_SET_EA : 804FA88E
15:52:35:831 2820 IRP_MJ_FLUSH_BUFFERS : 804FA88E
15:52:35:831 2820 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:52:35:831 2820 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:52:35:831 2820 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:52:35:831 2820 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:52:35:831 2820 IRP_MJ_DEVICE_CONTROL : F781C180
15:52:35:831 2820 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78179E6
15:52:35:831 2820 IRP_MJ_SHUTDOWN : 804FA88E
15:52:35:831 2820 IRP_MJ_LOCK_CONTROL : 804FA88E
15:52:35:831 2820 IRP_MJ_CLEANUP : 804FA88E
15:52:35:831 2820 IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:52:35:831 2820 IRP_MJ_QUERY_SECURITY : 804FA88E
15:52:35:831 2820 IRP_MJ_SET_SECURITY : 804FA88E
15:52:35:831 2820 IRP_MJ_POWER : F781B5F0
15:52:35:831 2820 IRP_MJ_SYSTEM_CONTROL : F7819A6E
15:52:35:831 2820 IRP_MJ_DEVICE_CHANGE : 804FA88E
15:52:35:831 2820 IRP_MJ_QUERY_QUOTA : 804FA88E
15:52:35:831 2820 IRP_MJ_SET_QUOTA : 804FA88E
15:52:35:841 2820 siohd: 0
15:52:35:841 2820 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:52:35:841 2820
15:52:35:841 2820 Driver Name: Disk
15:52:35:841 2820 IRP_MJ_CREATE : F76BDBB0
15:52:35:841 2820 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:52:35:841 2820 IRP_MJ_CLOSE : F76BDBB0
15:52:35:841 2820 IRP_MJ_READ : F76B7D1F
15:52:35:841 2820 IRP_MJ_WRITE : F76B7D1F
15:52:35:841 2820 IRP_MJ_QUERY_INFORMATION : 804FA88E
15:52:35:841 2820 IRP_MJ_SET_INFORMATION : 804FA88E
15:52:35:841 2820 IRP_MJ_QUERY_EA : 804FA88E
15:52:35:841 2820 IRP_MJ_SET_EA : 804FA88E
15:52:35:841 2820 IRP_MJ_FLUSH_BUFFERS : F76B82E2
15:52:35:841 2820 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:52:35:841 2820 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:52:35:841 2820 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:52:35:841 2820 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:52:35:841 2820 IRP_MJ_DEVICE_CONTROL : F76B83BB
15:52:35:851 2820 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76BBF28
15:52:35:851 2820 IRP_MJ_SHUTDOWN : F76B82E2
15:52:35:851 2820 IRP_MJ_LOCK_CONTROL : 804FA88E
15:52:35:851 2820 IRP_MJ_CLEANUP : 804FA88E
15:52:35:851 2820 IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_SECURITY : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_SECURITY : 804FA88E
15:52:35:851 2820 IRP_MJ_POWER : F76B9C82
15:52:35:851 2820 IRP_MJ_SYSTEM_CONTROL : F76BE99E
15:52:35:851 2820 IRP_MJ_DEVICE_CHANGE : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_QUOTA : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_QUOTA : 804FA88E
15:52:35:851 2820 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:52:35:851 2820 sion
15:52:35:851 2820 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:52:35:851 2820
15:52:35:851 2820 Driver Name: Disk
15:52:35:851 2820 IRP_MJ_CREATE : F76BDBB0
15:52:35:851 2820 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:52:35:851 2820 IRP_MJ_CLOSE : F76BDBB0
15:52:35:851 2820 IRP_MJ_READ : F76B7D1F
15:52:35:851 2820 IRP_MJ_WRITE : F76B7D1F
15:52:35:851 2820 IRP_MJ_QUERY_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_EA : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_EA : 804FA88E
15:52:35:851 2820 IRP_MJ_FLUSH_BUFFERS : F76B82E2
15:52:35:851 2820 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:52:35:851 2820 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:52:35:851 2820 IRP_MJ_DEVICE_CONTROL : F76B83BB
15:52:35:851 2820 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76BBF28
15:52:35:851 2820 IRP_MJ_SHUTDOWN : F76B82E2
15:52:35:851 2820 IRP_MJ_LOCK_CONTROL : 804FA88E
15:52:35:851 2820 IRP_MJ_CLEANUP : 804FA88E
15:52:35:851 2820 IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_SECURITY : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_SECURITY : 804FA88E
15:52:35:851 2820 IRP_MJ_POWER : F76B9C82
15:52:35:851 2820 IRP_MJ_SYSTEM_CONTROL : F76BE99E
15:52:35:851 2820 IRP_MJ_DEVICE_CHANGE : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_QUOTA : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_QUOTA : 804FA88E
15:52:35:851 2820 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:52:35:851 2820 sion
15:52:35:851 2820 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:52:35:851 2820
15:52:35:851 2820 Driver Name: Disk
15:52:35:851 2820 IRP_MJ_CREATE : F76BDBB0
15:52:35:851 2820 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:52:35:851 2820 IRP_MJ_CLOSE : F76BDBB0
15:52:35:851 2820 IRP_MJ_READ : F76B7D1F
15:52:35:851 2820 IRP_MJ_WRITE : F76B7D1F
15:52:35:851 2820 IRP_MJ_QUERY_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_EA : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_EA : 804FA88E
15:52:35:851 2820 IRP_MJ_FLUSH_BUFFERS : F76B82E2
15:52:35:851 2820 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:52:35:851 2820 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:52:35:851 2820 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:52:35:851 2820 IRP_MJ_DEVICE_CONTROL : F76B83BB
15:52:35:851 2820 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76BBF28
15:52:35:851 2820 IRP_MJ_SHUTDOWN : F76B82E2
15:52:35:851 2820 IRP_MJ_LOCK_CONTROL : 804FA88E
15:52:35:851 2820 IRP_MJ_CLEANUP : 804FA88E
15:52:35:851 2820 IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_SECURITY : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_SECURITY : 804FA88E
15:52:35:851 2820 IRP_MJ_POWER : F76B9C82
15:52:35:851 2820 IRP_MJ_SYSTEM_CONTROL : F76BE99E
15:52:35:851 2820 IRP_MJ_DEVICE_CHANGE : 804FA88E
15:52:35:851 2820 IRP_MJ_QUERY_QUOTA : 804FA88E
15:52:35:851 2820 IRP_MJ_SET_QUOTA : 804FA88E
15:52:35:851 2820 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:52:35:851 2820 sion
15:52:35:861 2820 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:52:35:861 2820
15:52:35:861 2820 Driver Name: atapi
15:52:35:861 2820 IRP_MJ_CREATE : F746DB3A
15:52:35:861 2820 IRP_MJ_CREATE_NAMED_PIPE : F746DB3A
15:52:35:861 2820 IRP_MJ_CLOSE : F746DB3A
15:52:35:861 2820 IRP_MJ_READ : F746DB3A
15:52:35:861 2820 IRP_MJ_WRITE : F746DB3A
15:52:35:861 2820 IRP_MJ_QUERY_INFORMATION : F746DB3A
15:52:35:861 2820 IRP_MJ_SET_INFORMATION : F746DB3A
15:52:35:861 2820 IRP_MJ_QUERY_EA : F746DB3A
15:52:35:861 2820 IRP_MJ_SET_EA : F746DB3A
15:52:35:861 2820 IRP_MJ_FLUSH_BUFFERS : F746DB3A
15:52:35:861 2820 IRP_MJ_QUERY_VOLUME_INFORMATION : F746DB3A
15:52:35:861 2820 IRP_MJ_SET_VOLUME_INFORMATION : F746DB3A
15:52:35:861 2820 IRP_MJ_DIRECTORY_CONTROL : F746DB3A
15:52:35:861 2820 IRP_MJ_FILE_SYSTEM_CONTROL : F746DB3A
15:52:35:861 2820 IRP_MJ_DEVICE_CONTROL : F746DB3A
15:52:35:861 2820 IRP_MJ_INTERNAL_DEVICE_CONTROL : F746DB3A
15:52:35:861 2820 IRP_MJ_SHUTDOWN : F746DB3A
15:52:35:861 2820 IRP_MJ_LOCK_CONTROL : F746DB3A
15:52:35:861 2820 IRP_MJ_CLEANUP : F746DB3A
15:52:35:861 2820 IRP_MJ_CREATE_MAILSLOT : F746DB3A
15:52:35:861 2820 IRP_MJ_QUERY_SECURITY : F746DB3A
15:52:35:861 2820 IRP_MJ_SET_SECURITY : F746DB3A
15:52:35:861 2820 IRP_MJ_POWER : F746DB3A
15:52:35:861 2820 IRP_MJ_SYSTEM_CONTROL : F746DB3A
15:52:35:861 2820 IRP_MJ_DEVICE_CHANGE : F746DB3A
15:52:35:861 2820 IRP_MJ_QUERY_QUOTA : F746DB3A
15:52:35:861 2820 IRP_MJ_SET_QUOTA : F746DB3A
15:52:35:861 2820 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
15:52:35:861 2820 TDL3_IrpHookDetect: New IrpHandler addr: 8AC448C8
15:52:35:861 2820 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
15:52:35:861 2820 Driver "atapi" Irp handler infected by TDSS rootkit ... 15:52:35:861 2820 cured
15:52:35:861 2820 siohd: 0
15:52:35:871 2820 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
15:52:35:871 2820 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 15:52:35:871 2820 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:52:35:871 2820 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:52:35:951 2820 vfvi6
15:52:36:021 2820 !dsvbh1
15:52:38:244 2820 dsvbh2
15:52:38:264 2820 fdfb2
15:52:38:264 2820 Backup copy found, using it..
15:52:38:454 2820 will be cured on next reboot
15:52:38:454 2820 Reboot required for cure complete..
15:52:38:544 2820 Cure on reboot scheduled successfully
15:52:38:544 2820
15:52:38:544 2820 Completed
15:52:38:544 2820
15:52:38:544 2820 Results:
15:52:38:544 2820 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
15:52:38:544 2820 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:52:38:544 2820 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:52:38:544 2820
15:52:38:544 2820 UnloadDriverW: NtUnloadDriver error 1
15:52:38:544 2820 KLMD_Unload: UnloadDriverW(klmd21) error 1
15:52:38:544 2820 KLMD(ARK) unloaded successfully





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users