Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google & Firefox search results redirected plus can't boot into safe mode


  • This topic is locked This topic is locked
12 replies to this topic

#1 redirect hell

redirect hell

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 02 March 2010 - 02:20 AM

Please help! I am exhauseted trying to find a fix for this problem. I have tried all kinds of things with limited results. It is above my knowledge level and capabilities to resolve. I need somone with professional skills to help me resolve this problem.

I did a bunch of s/w and driver updates and somehow my system became infected. It may have also been from Limewire / Frostwire (since removed). Also, I recall being prompted to install a plug-in or update a codec or something for Quicktime because my sytem was unable to process a file. After the download nothing happened, at least nothing appeared to have happened, but something else was installed. I think I have fixed part of the problem but have not been able to resolve everything. I removed Quicktime but have had nothing but problems since this download incident.

I started getting random window pop-ups. Then I noticed that search results from from Google were getting redirected to marketing sites, alternative search engines, etc. I was using Internet Explore so decided to try Firefox in case it was only IE Explorer that was affected. Firefox had the same problem with Google search results getting redirected.

I decided to try a malware removal software but needed to boot into safe mode to use it effectively. This was when discovered I could no longer boot into safe mode. Every time I select safe mode (no network) it appears to start listing a bunch of files but then stops and goes back to rebooting again which brings me back to the same screen prompting me to select a normal boot, last known good configuration, or safe mode options. If I select normal, the system boots fine, but if I select safe mode, it just repeats the same boot cycle just described.

My only option has been running malware, antiviruses, etc. etc. etc. from a normal boot. I have tried a plethora of software with only the pop ups appearing to have been fixed. The redirected search results, and the inability to boot in safe mode are still both problematic.

Currently I am using AVG Free 9.0, Ad-Aware 8.2.0, MalwareBytes 1.44. I tried many other things which have not removed the problem(s).

Also, my internet browsing seems to get very slow and bogged down with all the redirect activity.

There have been times when I thought the problem was fixed because the redirects stopped and the speed of my browser returned to normal, but eventually the redirects start happening again, and my system gets very slow while surfing. I'm afraid because I can't boot into safe mode that whatever has infected my system keeps regenerating itself somehow.

Again, this is beyond my knowledge level and I need the assistance of a professional.

As requested in the forum guidelines I am attaching the following:

DDS.txt


DDS (Ver_09-12-01.01) - FAT32x86
Run by (name removed) at 0:28:14.21 on 02/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1400 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgcsrvx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Larry Dunlop\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\watcher\WaHelper.exe"
mRun: [CtrlVol] "c:\program files\launch manager\CtrlVol.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [epm-dm] c:\acer\epm\epm-dm.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://systemrequirementslab.com.s3.amazonaws.com/iduu/bin/srldetect_intel.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\larryd~1\applic~1\mozilla\firefox\profiles\c7tmfqev.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-9 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-9 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-9 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-9 360584]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-7-6 188416]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-9 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-9 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-6-1 64000]
S1 mailKmd;mailKmd; [x]
S2 gupdate1c9a002cc2d197a;Google Update Service (gupdate1c9a002cc2d197a);c:\program files\google\update\GoogleUpdate.exe [2009-3-8 133104]
S3 58b6ddfe-e76e-4479-9ef3-05967c687da4;58b6ddfe-e76e-4479-9ef3-05967c687da4;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-9-19 2343]

=============== Created Last 30 ================

2010-03-01 06:28:30 0 d-sh--w- C:\Recycled
2010-03-01 06:15:57 98816 ----a-w- c:\windows\sed.exe
2010-03-01 06:15:57 77312 ----a-w- c:\windows\MBR.exe
2010-03-01 06:15:57 261632 ----a-w- c:\windows\PEV.exe
2010-03-01 06:15:57 161792 ----a-w- c:\windows\SWREG.exe
2010-03-01 01:50:35 2 --sha-r- c:\windows\winstart.bat
2010-03-01 01:49:21 0 d-----w- c:\program files\UnHackMe
2010-02-28 20:22:56 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-02-28 20:22:56 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-02-24 03:51:28 0 d-----w- c:\docume~1\larryd~1\applic~1\Malwarebytes
2010-02-24 03:51:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 03:51:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 03:51:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 03:51:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-23 08:37:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-23 08:02:28 0 d-----w- c:\docume~1\larryd~1\applic~1\AVG9
2010-02-23 07:16:46 0 d-sha-r- C:\cmdcons
2010-02-19 02:35:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-19 02:32:37 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-18 06:36:15 318 ----a-w- c:\windows\system32\drivers\czkczisa.dat
2010-02-14 08:03:55 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-02-14 08:00:09 0 d-----w- C:\Intel
2010-02-14 07:53:04 0 d-----w- c:\program files\SystemRequirementsLab
2010-02-14 06:54:01 1654784 ----a-w- c:\windows\system32\W29MLRES.dll
2010-02-14 06:44:24 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-02-14 06:44:24 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-02-10 08:11:21 0 d--h--w- c:\windows\ie8
2010-02-10 05:24:19 0 d-----w- C:\$AVG
2010-02-10 04:00:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-10 04:00:43 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 04:00:29 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 04:00:24 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-10 04:00:18 0 d-----w- c:\program files\AVG
2010-02-10 04:00:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-10 03:55:24 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-10 03:34:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-10 03:32:15 0 d-----w- c:\program files\Lavasoft
2010-02-10 02:58:06 0 d-----w- c:\docume~1\larryd~1\applic~1\Auslogics
2010-02-10 02:54:41 0 d-----w- c:\program files\Auslogics
2010-02-09 21:33:00 127 ----a-w- c:\windows\system32\MRT.INI
2010-02-09 21:27:31 0 d-----w- c:\docume~1\larryd~1\applic~1\download
2010-02-09 21:12:56 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-09 21:12:56 1409 ----a-w- c:\windows\QTFont.for
2010-02-08 18:38:29 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-31 16:50:04 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:28 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:28 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:24 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:24 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:52 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-21 00:19:24 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-01-11 01:44:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011020090111\index.dat
2009-10-17 18:16:04 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 0:28:57.23 ===============




Attached is the "Attach.txt" file in WinRAR ZIP format.



Here is the Ark.txt file:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 00:50:26
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\LARRYD~1\LOCALS~1\Temp\fgldapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA19887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA198BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\atapi \Device\Ide\IdePort0 [B9F04B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9F04B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9F04B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sdcplh.sys (SDCPLH/Macrovision Europe Ltd)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device vobiw.SYS (InstantWrite File System Driver/Pinnacle Systems GmbH)
Device Fastfat.sys (Fast FAT File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




Thanks in advance for your help. Much appreciated! What would the world be like without volunteers like yourselves?

BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:14 AM

Posted 06 March 2010 - 07:32 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I
would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 redirect hell

redirect hell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 07 March 2010 - 03:18 PM

I am pleased to hear from you. Thanks for your help Syler.

Your reply asked for me to copy and paste but no location was provided. I have attached the requested files in this reply.

OTL logfile created on: 07/03/2010 2:37:21 PM - Run 1
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\xxxxx xxxxxx\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 26.12 Gb Total Space | 1.73 Gb Free Space | 6.63% Space Free | Partition Type: FAT32
Drive D: | 26.61 Gb Total Space | 13.92 Gb Free Space | 52.33% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: xxxxxx
Current User Name: xxxxx xxxxxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/07 14:34:02 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\OTL.exe
PRC - [2010/02/18 21:33:56 | 000,815,184 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/02/18 21:33:54 | 001,229,232 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/02/09 23:00:22 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/02/09 23:00:22 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/02/09 23:00:22 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/02/09 23:00:22 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/02/09 23:00:20 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/02/09 23:00:20 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/04/20 09:48:42 | 000,053,248 | ---- | M] (Sierra Wireless Inc.) -- C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
PRC - [2008/04/13 19:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/10/26 16:18:52 | 000,212,992 | ---- | M] (Acer Inc) -- C:\Acer\ePM\epm-dm.exe
PRC - [2005/02/04 11:12:58 | 000,102,490 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


========== Modules (SafeList) ==========

MOD - [2010/03/07 14:34:02 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\OTL.exe
MOD - [2005/02/04 11:12:50 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/18 21:33:54 | 001,229,232 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/09 23:00:20 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/02/09 23:00:20 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2008/12/01 10:59:52 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2004/04/21 20:26:56 | 000,778,240 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe -- (NetMDSB)
SRV - [2004/01/30 15:19:20 | 000,065,625 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe -- (PACSPTISVR)
SRV - [2004/01/30 15:16:06 | 000,065,622 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe -- (SPTISRV)


========== Driver Services (SafeList) ==========

DRV - [2010/02/09 23:00:44 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/02/09 23:00:30 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/02/09 23:00:28 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/02/04 10:53:04 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/11/11 07:26:02 | 002,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2009/02/27 15:51:40 | 000,171,400 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00)
DRV - [2009/02/27 15:51:36 | 000,149,512 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmx00.sys -- (SWMX00) Sierra Wireless USB MUX Driver (#00)
DRV - [2008/09/16 14:18:32 | 000,026,888 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/04/13 13:54:36 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2008/04/13 13:36:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/01/13 10:33:18 | 005,672,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/09/19 13:01:42 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2006/02/17 14:07:26 | 000,055,168 | ---- | M] (Macrovision Europe Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sdcplh.sys -- (sdcplh)
DRV - [2005/04/19 10:40:52 | 002,317,504 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/07 18:08:46 | 000,078,208 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd)
DRV - [2005/02/04 10:59:46 | 000,193,216 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/12/22 01:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/12/17 17:14:44 | 000,013,952 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2004/12/15 15:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/12/15 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/12/02 16:36:08 | 000,070,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/07/19 13:10:00 | 000,004,096 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd)
DRV - [2004/07/06 17:06:46 | 000,188,416 | ---- | M] (Pinnacle Systems GmbH) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\vobIW.sys -- (vobiw)
DRV - [2004/06/01 12:41:46 | 000,064,000 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Cdrdrv.sys -- (cdrdrv)
DRV - [2004/03/10 15:27:18 | 000,011,264 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2003/12/05 18:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/04/28 11:27:06 | 000,009,867 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\HOTKEY.sys -- (Hotkey)
DRV - [2002/08/08 15:51:32 | 000,038,951 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETMDUSB.sys -- (NETMDUSB)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2000/12/19 18:29:52 | 000,002,343 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Launch Manager\POWERKEY.SYS -- (POWERKEY)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3553019745-2591160144-1652453794-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
IE - HKU\S-1-5-21-3553019745-2591160144-1652453794-1005\S-1-5-21-3553019745-2591160144-1652453794-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.ca"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: en-CA@dictionaries.addons.mozilla.org:1.1.5
FF - prefs.js..extensions.enabledItems: {F645A8C9-E969-42D9-B3F3-F325537222FD}:1.1.6
FF - prefs.js..extensions.enabledItems: optout@google.com:1.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: chromifox@altmusictv.com:3.6.4

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/10 03:31:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/10 03:31:20 | 000,000,000 | ---D | M]

[2010/02/09 13:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Extensions
[2010/02/09 13:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/02/10 03:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\extensions
[2010/02/10 03:48:42 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/10 03:48:42 | 000,000,000 | ---D | M] (QuickRestart) -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
[2010/02/28 11:36:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\extensions\chromifox@altmusictv.com
[2010/02/10 03:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\extensions\en-CA@dictionaries.addons.mozilla.org
[2010/02/14 03:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\extensions\optout@google.com
[2010/02/10 03:31:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/23 02:29:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKLM..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe (Wistron)
O4 - HKLM..\Run: [epm-dm] c:\Acer\ePM\epm-dm.exe (Acer Inc)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [preload] C:\WINDOWS\RUNXMLPL.EXE (Wistron)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatcherHelper] C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe (Sierra Wireless Inc.)
O4 - Startup: C:\Documents and Settings\Jenn Dunlop\Start Menu\Programs\Startup\Trivial Pursuit_ Unhinged Registration.lnk = C:\Documents and Settings\Jenn Dunlop\Local Settings\Temp\{FD701233-9516-4F30-A0F5-ECFBB22245D9}\{4E61888C-3D42-4691-AD25-E9AF648EAB63}\ATR1.EXE File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3553019745-2591160144-1652453794-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3553019745-2591160144-1652453794-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3553019745-2591160144-1652453794-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3553019745-2591160144-1652453794-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3553019745-2591160144-1652453794-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxacm.CAB (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s...el_4.1.66.0.cab (SysInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\xxxxx xxxxxx\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\xxxxx xxxxxx\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/09/14 12:52:08 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17173366603513856)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/07 14:34:02 | 000,553,984 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\OTL.exe
[2010/03/07 13:16:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/03/07 13:06:48 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/03/06 10:07:31 | 000,000,000 | ---D | C] -- C:\Temp
[2010/03/04 22:02:32 | 000,177,928 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\Ace.com.exe
[2010/03/02 21:17:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\8B216CB3F43B4C7BB30FE4111A7F37A7.TMP
[2010/03/02 00:42:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\gmer
[2010/03/01 01:28:30 | 000,000,000 | -HSD | C] -- C:\Recycled
[2010/03/01 01:15:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/01 01:15:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/01 01:15:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/01 01:15:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/01 01:13:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/28 20:49:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\My Documents\RegRun2
[2010/02/28 20:49:21 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/02/28 15:41:14 | 000,016,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2010/02/23 22:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Malwarebytes
[2010/02/23 22:51:24 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/23 22:51:22 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/23 22:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/23 22:51:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/23 03:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/23 03:38:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/23 03:37:30 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/23 03:37:30 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/23 03:37:30 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/23 03:37:30 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/23 03:02:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\AVG9
[2010/02/23 02:35:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/23 02:16:46 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/23 02:14:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/18 21:35:22 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/18 21:32:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/02/17 23:34:05 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/02/14 03:03:55 | 000,172,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/02/14 03:01:08 | 000,057,344 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igxprd32.dll
[2010/02/14 03:01:07 | 005,672,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\igxpmp32.sys
[2010/02/14 03:01:07 | 001,563,776 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igxpdv32.dll
[2010/02/14 03:01:07 | 000,450,560 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igldev32.dll
[2010/02/14 03:01:07 | 000,149,504 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igxpgd32.dll
[2010/02/14 03:01:06 | 002,482,688 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igxpdx32.dll
[2010/02/14 03:01:06 | 002,334,720 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\iglicd32.dll
[2010/02/14 03:01:06 | 000,176,128 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrsky.lrc
[2010/02/14 03:01:06 | 000,172,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrslv.lrc
[2010/02/14 03:01:03 | 000,389,120 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\igxpun.exe
[2010/02/14 03:01:03 | 000,319,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\difxapi.dll
[2010/02/14 03:01:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2010/02/14 03:00:09 | 000,000,000 | ---D | C] -- C:\Intel
[2010/02/14 02:53:04 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2010/02/14 01:54:01 | 001,654,784 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\W29MLRES.dll
[2010/02/14 01:44:24 | 002,732,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2r32.dll
[2010/02/14 01:44:24 | 000,557,056 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2c32.dll
[2010/02/10 03:31:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\Local Settings\Application Data\Mozilla
[2010/02/10 03:31:18 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/10 03:11:21 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/10 00:24:19 | 000,000,000 | ---D | C] -- C:\$AVG
[2010/02/09 23:00:45 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/02/09 23:00:43 | 000,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/09 23:00:29 | 000,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/02/09 23:00:27 | 000,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/02/09 23:00:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/02/09 23:00:18 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/02/09 23:00:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/02/09 22:34:22 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/02/09 22:32:15 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/02/09 22:32:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/02/09 21:58:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Auslogics
[2010/02/09 21:54:41 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2010/02/09 18:09:11 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/02/09 18:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/02/09 16:27:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\download
[2010/02/09 13:48:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx xxxxxx\Application Data\Mozilla
[2010/02/08 13:38:29 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/03/10 08:55:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/03/08 11:30:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2004/09/14 13:09:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/09/14 13:09:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/09/14 12:56:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/09/14 12:56:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/07 14:37:30 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\NTUSER.DAT
[2010/03/07 14:34:02 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\OTL.exe
[2010/03/07 13:47:04 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/07 13:15:08 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/07 13:14:46 | 000,000,098 | ---- | M] () -- C:\WINDOWS\ComponentList.xml
[2010/03/07 13:14:34 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/07 13:14:20 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/07 13:14:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/07 13:14:10 | 2137,509,888 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/07 13:12:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\ntuser.ini
[2010/03/07 08:53:04 | 056,819,350 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/04 21:58:56 | 000,154,657 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\tdsskiller.zip
[2010/03/04 21:15:38 | 000,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2010/03/03 00:01:54 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/02 01:58:50 | 000,004,206 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\Attach.zip
[2010/03/02 00:24:12 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\dds.scr
[2010/03/01 01:22:10 | 000,000,262 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/28 22:29:38 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/28 22:29:38 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/02/28 22:29:38 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/02/28 19:16:06 | 000,000,652 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/28 19:16:06 | 000,000,264 | -HS- | M] () -- C:\boot.ini
[2010/02/28 15:41:32 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\Windows Media Player.lnk
[2010/02/28 15:40:58 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/02/28 15:40:58 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/02/28 15:40:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/28 15:30:26 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/02/28 14:37:12 | 000,009,686 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\avg scan info feb 28 2010.csv
[2010/02/28 00:16:42 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\gmer.zip
[2010/02/27 13:29:40 | 000,177,928 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\xxxxx xxxxxxp\Desktop\Ace.com.exe
[2010/02/27 00:02:52 | 000,467,814 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\PARDON 8274763_20100226234719.pdf
[2010/02/26 23:55:02 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/25 08:32:28 | 000,007,698 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\avg scan info feb 25 2010.csv
[2010/02/24 09:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/02/23 22:51:28 | 000,000,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/23 03:37:24 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/23 03:37:24 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/23 03:37:24 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/23 03:37:24 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/23 02:07:02 | 000,000,194 | ---- | M] () -- C:\Boot.bak
[2010/02/18 21:35:22 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/18 21:32:36 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/18 01:36:18 | 000,000,318 | ---- | M] () -- C:\WINDOWS\System32\drivers\czkczisa.dat
[2010/02/13 16:37:20 | 001,191,527 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\My Documents\Jenn Air JXT5836ADS Use And Care Guide.pdf
[2010/02/13 16:31:26 | 000,478,175 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\My Documents\Jenn Air JXT5836ADS Range Hood.pdf
[2010/02/11 01:18:26 | 000,061,272 | ---- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/10 13:25:50 | 000,228,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/10 03:31:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/02/10 03:31:22 | 000,001,510 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/10 03:14:30 | 004,288,540 | -H-- | M] () -- C:\Documents and Settings\xxxxx xxxxxx\Local Settings\Application Data\IconCache.db
[2010/02/09 23:45:16 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/09 23:00:48 | 000,001,415 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/09 23:00:46 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/02/09 23:00:44 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/09 23:00:30 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/02/09 23:00:28 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/02/09 23:00:28 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/02/09 23:00:26 | 006,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/02/09 23:00:26 | 000,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/02/09 22:43:38 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/02/09 21:38:28 | 000,763,766 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate
[2010/02/09 21:34:08 | 000,000,451 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2010/02/09 17:01:36 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/02/09 16:33:02 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/09 16:12:58 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/02/09 12:44:52 | 000,001,823 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/08 14:05:44 | 000,358,194 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/08 14:05:44 | 000,313,514 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/08 14:05:44 | 000,041,066 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/06 12:33:05 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/03/04 21:58:55 | 000,154,657 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\tdsskiller.zip
[2010/03/02 01:58:49 | 000,004,206 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\Attach.zip
[2010/03/02 00:24:10 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\dds.scr
[2010/03/01 01:15:57 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/01 01:15:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/01 01:15:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/01 01:15:57 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/01 01:15:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/28 20:50:35 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2010/02/28 15:23:35 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\Windows Media Player.lnk
[2010/02/28 15:22:56 | 000,023,392 | ---- | C] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/02/28 15:22:56 | 000,016,832 | ---- | C] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/02/28 14:37:11 | 000,009,686 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\avg scan info feb 28 2010.csv
[2010/02/28 00:16:40 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\gmer.zip
[2010/02/26 23:48:04 | 000,467,814 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\PARDON 8274763_20100226234719.pdf
[2010/02/25 08:32:26 | 000,007,698 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Desktop\avg scan info feb 25 2010.csv
[2010/02/23 22:51:26 | 000,000,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/23 02:16:50 | 000,000,194 | ---- | C] () -- C:\Boot.bak
[2010/02/23 02:16:48 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/18 21:32:35 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/18 01:36:15 | 000,000,318 | ---- | C] () -- C:\WINDOWS\System32\drivers\czkczisa.dat
[2010/02/14 03:01:06 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4764.dll
[2010/02/14 03:01:06 | 000,024,784 | ---- | C] () -- C:\WINDOWS\System32\igxpxs32.vp
[2010/02/14 03:01:06 | 000,002,096 | ---- | C] () -- C:\WINDOWS\System32\igxpxk32.vp
[2010/02/14 03:01:03 | 000,121,232 | ---- | C] () -- C:\WINDOWS\System32\IScrNBR.bmp
[2010/02/14 03:01:03 | 000,121,232 | ---- | C] () -- C:\WINDOWS\System32\IScrNB.bmp
[2010/02/13 16:37:18 | 001,191,527 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\My Documents\Jenn Air JXT5836ADS Use And Care Guide.pdf
[2010/02/13 16:31:24 | 000,478,175 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\My Documents\Jenn Air JXT5836ADS Range Hood.pdf
[2010/02/10 14:09:17 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/10 03:31:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/02/10 03:31:21 | 000,001,510 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/09 23:00:46 | 000,001,415 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/09 23:00:27 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/02/09 23:00:24 | 056,819,350 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/09 23:00:24 | 006,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/02/09 23:00:24 | 000,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/02/09 23:00:24 | 000,142,495 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/09 22:55:24 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/02/09 22:38:48 | 000,000,458 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/09 21:38:11 | 000,763,766 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate
[2010/02/09 16:33:00 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/09 16:12:56 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/02/09 16:12:56 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/02/09 12:44:50 | 000,001,823 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/08/02 14:40:22 | 000,000,011 | ---- | C] () -- C:\WINDOWS\egypte.ini
[2008/09/16 14:18:32 | 000,026,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2008/08/09 04:27:40 | 000,000,086 | ---- | C] () -- C:\WINDOWS\CIV.INI
[2008/02/27 00:12:06 | 000,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/01/21 22:30:01 | 000,000,272 | ---- | C] () -- C:\WINDOWS\ChkMail.Ini
[2007/11/27 18:27:07 | 000,000,242 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2006/10/18 21:44:07 | 000,000,208 | ---- | C] () -- C:\WINDOWS\CDPLAYER.INI
[2006/10/16 23:20:04 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2006/10/15 12:42:48 | 000,000,419 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2006/09/28 02:13:00 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.xxxxx xxxxxx.ini
[2006/09/25 23:14:13 | 000,001,838 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/09/23 22:46:11 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2006/09/20 01:07:48 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\xxxxx xxxxxx\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/19 09:53:38 | 000,000,451 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2006/09/19 09:52:01 | 000,009,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\HOTKEY.sys
[2005/06/20 02:42:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/20 02:17:32 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/06/20 02:16:32 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/06/20 02:16:32 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/06/20 02:16:32 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/06/20 02:16:32 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/01/21 11:48:08 | 000,225,280 | ---- | C] () -- C:\WINDOWS\Capsule.dll
[2004/12/17 17:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/09/07 14:23:16 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/03/18 07:44:29 | 001,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2003/11/24 15:55:48 | 000,743,424 | ---- | C] () -- C:\WINDOWS\libxml2.dll
[2003/11/24 15:55:32 | 000,872,448 | ---- | C] () -- C:\WINDOWS\iconv.dll
[2003/07/21 16:52:40 | 000,001,150 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2002/02/27 17:28:16 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2002/02/27 17:28:16 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2002/02/27 17:28:14 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2002/02/27 17:28:14 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2002/02/27 17:28:14 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2001/12/26 16:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1997/11/10 15:18:48 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/10 20:30:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/01/10 20:30:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/10 20:30:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/01/10 20:30:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: PROQUOTA.EXE >
[2004/08/04 05:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
[2008/04/13 19:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\ServicePackFiles\i386\proquota.exe
[2008/04/13 19:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >



Please note that I modified the files to replace computer name with, "xxxxxx" and and path showing personal name with "xxxxx xxxxxx".

Thanks again for your help. I look forward to your reply.

Attached Files


Edited by syler, 07 March 2010 - 03:26 PM.
post logs


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:14 AM

Posted 07 March 2010 - 03:30 PM

Hi redirect hell,

I have edited your post so I could copy and paste the log, it makes it more difficult for me otherwise. Please post
all logs in your reply, like this, thanks.
  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Click Start >> Run then copy and paste the following bold command line into the Run box and click OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt
  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.

unite.jpg


#5 redirect hell

redirect hell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 07 March 2010 - 04:37 PM

I was not prompted to delete anything.

Here is the output log.

16:32:20:125 2364 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
16:32:20:125 2364 ================================================================================
16:32:20:125 2364 SystemInfo:

16:32:20:125 2364 OS Version: 5.1.2600 ServicePack: 3.0
16:32:20:125 2364 Product type: Workstation
16:32:20:125 2364 ComputerName: xxxxxx
16:32:20:125 2364 UserName: xxxxx xxxxxx
16:32:20:125 2364 Windows directory: C:\WINDOWS
16:32:20:125 2364 Processor architecture: Intel x86
16:32:20:125 2364 Number of processors: 1
16:32:20:125 2364 Page size: 0x1000
16:32:20:125 2364 Boot type: Normal boot
16:32:20:125 2364 ================================================================================
16:32:20:140 2364 UnloadDriverW: NtUnloadDriver error 2
16:32:20:140 2364 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:32:20:171 2364 Initialize success
16:32:20:171 2364
16:32:20:171 2364 Scanning Services ...
16:32:20:171 2364 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:32:20:171 2364 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:32:20:171 2364 wfopen_ex: Trying to KLMD file open
16:32:20:171 2364 wfopen_ex: File opened ok (Flags 2)
16:32:20:171 2364 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:32:20:171 2364 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:32:20:171 2364 wfopen_ex: Trying to KLMD file open
16:32:20:171 2364 wfopen_ex: File opened ok (Flags 2)
16:32:20:437 2364 GetAdvancedServicesInfo: Raw services enum returned 358 services
16:32:20:437 2364 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:32:20:437 2364 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:32:20:437 2364
16:32:20:437 2364 Scanning Kernel memory ...
16:32:20:437 2364 Devices to scan: 4
16:32:20:437 2364
16:32:20:437 2364 Driver Name: Disk
16:32:20:437 2364 IRP_MJ_CREATE : BA18EBB0
16:32:20:437 2364 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
16:32:20:437 2364 IRP_MJ_CLOSE : BA18EBB0
16:32:20:437 2364 IRP_MJ_READ : BA188D1F
16:32:20:437 2364 IRP_MJ_WRITE : BA188D1F
16:32:20:437 2364 IRP_MJ_QUERY_INFORMATION : 804F355A
16:32:20:437 2364 IRP_MJ_SET_INFORMATION : 804F355A
16:32:20:437 2364 IRP_MJ_QUERY_EA : 804F355A
16:32:20:437 2364 IRP_MJ_SET_EA : 804F355A
16:32:20:437 2364 IRP_MJ_FLUSH_BUFFERS : BA1892E2
16:32:20:437 2364 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
16:32:20:437 2364 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
16:32:20:437 2364 IRP_MJ_DIRECTORY_CONTROL : 804F355A
16:32:20:437 2364 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
16:32:20:437 2364 IRP_MJ_DEVICE_CONTROL : BA1893BB
16:32:20:437 2364 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA18CF28
16:32:20:437 2364 IRP_MJ_SHUTDOWN : BA1892E2
16:32:20:437 2364 IRP_MJ_LOCK_CONTROL : 804F355A
16:32:20:437 2364 IRP_MJ_CLEANUP : 804F355A
16:32:20:437 2364 IRP_MJ_CREATE_MAILSLOT : 804F355A
16:32:20:437 2364 IRP_MJ_QUERY_SECURITY : 804F355A
16:32:20:437 2364 IRP_MJ_SET_SECURITY : 804F355A
16:32:20:437 2364 IRP_MJ_POWER : BA18AC82
16:32:20:437 2364 IRP_MJ_SYSTEM_CONTROL : BA18F99E
16:32:20:437 2364 IRP_MJ_DEVICE_CHANGE : 804F355A
16:32:20:437 2364 IRP_MJ_QUERY_QUOTA : 804F355A
16:32:20:437 2364 IRP_MJ_SET_QUOTA : 804F355A
16:32:20:453 2364 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:32:20:453 2364 sion
16:32:20:453 2364 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:32:20:453 2364
16:32:20:453 2364 Driver Name: Disk
16:32:20:453 2364 IRP_MJ_CREATE : BA18EBB0
16:32:20:453 2364 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
16:32:20:453 2364 IRP_MJ_CLOSE : BA18EBB0
16:32:20:453 2364 IRP_MJ_READ : BA188D1F
16:32:20:453 2364 IRP_MJ_WRITE : BA188D1F
16:32:20:453 2364 IRP_MJ_QUERY_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_SET_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_QUERY_EA : 804F355A
16:32:20:453 2364 IRP_MJ_SET_EA : 804F355A
16:32:20:453 2364 IRP_MJ_FLUSH_BUFFERS : BA1892E2
16:32:20:453 2364 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_DIRECTORY_CONTROL : 804F355A
16:32:20:453 2364 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
16:32:20:453 2364 IRP_MJ_DEVICE_CONTROL : BA1893BB
16:32:20:453 2364 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA18CF28
16:32:20:453 2364 IRP_MJ_SHUTDOWN : BA1892E2
16:32:20:453 2364 IRP_MJ_LOCK_CONTROL : 804F355A
16:32:20:453 2364 IRP_MJ_CLEANUP : 804F355A
16:32:20:453 2364 IRP_MJ_CREATE_MAILSLOT : 804F355A
16:32:20:453 2364 IRP_MJ_QUERY_SECURITY : 804F355A
16:32:20:453 2364 IRP_MJ_SET_SECURITY : 804F355A
16:32:20:453 2364 IRP_MJ_POWER : BA18AC82
16:32:20:453 2364 IRP_MJ_SYSTEM_CONTROL : BA18F99E
16:32:20:453 2364 IRP_MJ_DEVICE_CHANGE : 804F355A
16:32:20:453 2364 IRP_MJ_QUERY_QUOTA : 804F355A
16:32:20:453 2364 IRP_MJ_SET_QUOTA : 804F355A
16:32:20:453 2364 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:32:20:453 2364 sion
16:32:20:453 2364 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:32:20:453 2364
16:32:20:453 2364 Driver Name: Disk
16:32:20:453 2364 IRP_MJ_CREATE : BA18EBB0
16:32:20:453 2364 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
16:32:20:453 2364 IRP_MJ_CLOSE : BA18EBB0
16:32:20:453 2364 IRP_MJ_READ : BA188D1F
16:32:20:453 2364 IRP_MJ_WRITE : BA188D1F
16:32:20:453 2364 IRP_MJ_QUERY_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_SET_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_QUERY_EA : 804F355A
16:32:20:453 2364 IRP_MJ_SET_EA : 804F355A
16:32:20:453 2364 IRP_MJ_FLUSH_BUFFERS : BA1892E2
16:32:20:453 2364 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
16:32:20:453 2364 IRP_MJ_DIRECTORY_CONTROL : 804F355A
16:32:20:453 2364 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
16:32:20:453 2364 IRP_MJ_DEVICE_CONTROL : BA1893BB
16:32:20:453 2364 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA18CF28
16:32:20:453 2364 IRP_MJ_SHUTDOWN : BA1892E2
16:32:20:453 2364 IRP_MJ_LOCK_CONTROL : 804F355A
16:32:20:453 2364 IRP_MJ_CLEANUP : 804F355A
16:32:20:453 2364 IRP_MJ_CREATE_MAILSLOT : 804F355A
16:32:20:453 2364 IRP_MJ_QUERY_SECURITY : 804F355A
16:32:20:453 2364 IRP_MJ_SET_SECURITY : 804F355A
16:32:20:453 2364 IRP_MJ_POWER : BA18AC82
16:32:20:453 2364 IRP_MJ_SYSTEM_CONTROL : BA18F99E
16:32:20:468 2364 IRP_MJ_DEVICE_CHANGE : 804F355A
16:32:20:468 2364 IRP_MJ_QUERY_QUOTA : 804F355A
16:32:20:468 2364 IRP_MJ_SET_QUOTA : 804F355A
16:32:20:468 2364 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:32:20:468 2364 sion
16:32:20:468 2364 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:32:20:468 2364
16:32:20:468 2364 Driver Name: atapi
16:32:20:468 2364 IRP_MJ_CREATE : B9F04B3A
16:32:20:468 2364 IRP_MJ_CREATE_NAMED_PIPE : B9F04B3A
16:32:20:468 2364 IRP_MJ_CLOSE : B9F04B3A
16:32:20:468 2364 IRP_MJ_READ : B9F04B3A
16:32:20:468 2364 IRP_MJ_WRITE : B9F04B3A
16:32:20:468 2364 IRP_MJ_QUERY_INFORMATION : B9F04B3A
16:32:20:468 2364 IRP_MJ_SET_INFORMATION : B9F04B3A
16:32:20:468 2364 IRP_MJ_QUERY_EA : B9F04B3A
16:32:20:468 2364 IRP_MJ_SET_EA : B9F04B3A
16:32:20:468 2364 IRP_MJ_FLUSH_BUFFERS : B9F04B3A
16:32:20:468 2364 IRP_MJ_QUERY_VOLUME_INFORMATION : B9F04B3A
16:32:20:468 2364 IRP_MJ_SET_VOLUME_INFORMATION : B9F04B3A
16:32:20:468 2364 IRP_MJ_DIRECTORY_CONTROL : B9F04B3A
16:32:20:468 2364 IRP_MJ_FILE_SYSTEM_CONTROL : B9F04B3A
16:32:20:468 2364 IRP_MJ_DEVICE_CONTROL : B9DB6A08
16:32:20:468 2364 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9DB6684
16:32:20:468 2364 IRP_MJ_SHUTDOWN : B9F04B3A
16:32:20:468 2364 IRP_MJ_LOCK_CONTROL : B9F04B3A
16:32:20:468 2364 IRP_MJ_CLEANUP : B9F04B3A
16:32:20:468 2364 IRP_MJ_CREATE_MAILSLOT : B9F04B3A
16:32:20:468 2364 IRP_MJ_QUERY_SECURITY : B9F04B3A
16:32:20:468 2364 IRP_MJ_SET_SECURITY : B9F04B3A
16:32:20:468 2364 IRP_MJ_POWER : B9F04B3A
16:32:20:468 2364 IRP_MJ_SYSTEM_CONTROL : B9F04B3A
16:32:20:468 2364 IRP_MJ_DEVICE_CHANGE : B9F04B3A
16:32:20:468 2364 IRP_MJ_QUERY_QUOTA : B9F04B3A
16:32:20:468 2364 IRP_MJ_SET_QUOTA : B9F04B3A
16:32:20:468 2364 siohd: 0
16:32:20:484 2364 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
16:32:20:484 2364
16:32:20:484 2364 Completed
16:32:20:484 2364
16:32:20:484 2364 Results:
16:32:20:484 2364 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:32:20:484 2364 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:32:20:484 2364 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:32:20:484 2364
16:32:20:484 2364 KLMD(ARK) unloaded successfully

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:14 AM

Posted 07 March 2010 - 04:44 PM

Well that didn't work lets try something else.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 redirect hell

redirect hell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 07 March 2010 - 05:40 PM

I've run Combofix as requested. It discovered rootkit activity. Atapi.sys was infectd.

Here is the output log:

ComboFix 10-03-07.02 - xxxxx xxxxxx 07/03/2010 17:11:33.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1416 [GMT -5:00]
Running from: c:\documents and settings\xxxxx xxxxxx\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-07 18:06 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-06 17:33 . 2009-12-12 14:15 178176 ----a-w- c:\windows\system32\unrar.dll
2010-03-06 15:07 . 2010-03-06 15:07 -------- d-----w- C:\Temp
2010-03-03 02:17 . 2010-03-03 02:17 -------- d-----w- c:\windows\8B216CB3F43B4C7BB30FE4111A7F37A7.TMP
2010-03-01 01:50 . 2010-03-01 03:29 2 --sha-r- c:\windows\winstart.bat
2010-03-01 01:49 . 2010-03-01 01:49 -------- d-----w- c:\program files\UnHackMe
2010-02-24 03:51 . 2010-02-24 03:51 -------- d-----w- c:\documents and settings\xxxxx xxxxx\Application Data\Malwarebytes
2010-02-24 03:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 03:51 . 2010-02-24 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 03:51 . 2010-02-24 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-24 03:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 08:40 . 2010-02-23 08:39 439808 ----a-w- c:\documents and settings\xxxxx xxxxx\Application Data\ZoomBrowser EX\Desktop\TFC.exe
2010-02-23 08:38 . 2010-02-23 08:38 61440 ----a-w- c:\documents and settings\xxxxx xxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ea0652a-n\decora-sse.dll
2010-02-23 08:38 . 2010-02-23 08:38 12800 ----a-w- c:\documents and settings\xxxxx xxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ea0652a-n\decora-d3d.dll
2010-02-23 08:38 . 2010-02-23 08:38 503808 ----a-w- c:\documents and settings\xxxxx xxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79f20489-n\msvcp71.dll
2010-02-23 08:38 . 2010-02-23 08:38 499712 ----a-w- c:\documents and settings\xxxxx xxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79f20489-n\jmc.dll
2010-02-23 08:38 . 2010-02-23 08:38 348160 ----a-w- c:\documents and settings\xxxxx xxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79f20489-n\msvcr71.dll
2010-02-23 08:38 . 2010-02-23 08:38 -------- d-----w- c:\program files\Common Files\Java
2010-02-23 08:02 . 2010-02-23 08:02 -------- d-----w- c:\documents and settings\xxxxx xxxxx\Application Data\AVG9
2010-02-19 02:35 . 2010-02-19 02:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-19 02:35 . 2010-02-19 02:35 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-02-19 02:35 . 2010-02-19 02:35 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-02-19 02:34 . 2010-02-19 02:35 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-02-19 02:34 . 2010-02-19 02:34 221408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2010-02-19 02:34 . 2010-02-19 02:34 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-02-19 02:34 . 2010-02-19 02:34 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-19 02:34 . 2010-02-19 02:34 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-19 02:32 . 2010-02-19 02:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-19 02:32 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-18 06:36 . 2010-02-18 06:36 318 ----a-w- c:\windows\system32\drivers\czkczisa.dat
2010-02-18 04:34 . 2010-02-18 04:34 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-14 08:03 . 2007-01-13 14:45 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-02-14 08:00 . 2010-02-14 08:00 -------- d-----w- C:\Intel
2010-02-14 07:53 . 2010-02-14 07:53 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-14 06:54 . 2004-10-15 15:20 1654784 ----a-w- c:\windows\system32\W29MLRES.dll
2010-02-14 06:44 . 2009-11-11 12:26 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-02-14 06:44 . 2009-11-11 12:26 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-02-10 08:31 . 2010-02-10 08:31 0 ----a-w- c:\windows\nsreg.dat
2010-02-10 08:31 . 2010-02-10 08:31 -------- d-----w- c:\documents and settings\xxxxx xxxxx\Local Settings\Application Data\Mozilla
2010-02-10 08:11 . 2010-02-10 08:11 -------- d--h--w- c:\windows\ie8
2010-02-10 05:24 . 2010-02-10 05:24 -------- d-----w- C:\$AVG
2010-02-10 04:45 . 2010-02-10 04:00 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-10 04:45 . 2010-02-10 04:00 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-10 04:00 . 2010-02-10 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-10 04:00 . 2010-02-10 04:00 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 04:00 . 2010-02-10 04:00 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 04:00 . 2010-02-10 04:00 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-10 04:00 . 2010-02-10 04:00 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-10 04:00 . 2010-02-10 04:00 -------- d-----w- c:\program files\AVG
2010-02-10 04:00 . 2010-02-10 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-10 03:55 . 2010-02-10 03:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-10 03:43 . 2010-02-19 02:35 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-10 03:43 . 2010-02-19 02:35 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-10 03:43 . 2010-02-19 02:35 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-10 03:43 . 2010-02-19 02:34 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-10 03:43 . 2010-02-19 02:34 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-10 03:43 . 2010-02-19 02:34 390320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-10 03:43 . 2010-02-19 02:34 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-10 03:41 . 2010-02-19 02:34 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-10 03:41 . 2010-02-19 02:34 329048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-10 03:41 . 2010-02-19 02:34 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-10 03:40 . 2010-02-19 02:34 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-10 03:40 . 2010-02-10 03:40 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-10 03:40 . 2010-02-19 02:34 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-10 03:40 . 2010-02-19 02:34 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-10 03:40 . 2010-02-19 02:33 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-10 03:40 . 2010-02-19 02:33 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-10 03:40 . 2010-02-19 02:33 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-10 03:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-10 03:32 . 2010-02-10 03:32 -------- d-----w- c:\program files\Lavasoft
2010-02-10 03:32 . 2010-02-10 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-10 02:58 . 2010-02-10 02:58 -------- d-----w- c:\documents and settings\xxxxx xxxxx\Application Data\Auslogics
2010-02-10 02:54 . 2010-02-10 02:54 -------- d-----w- c:\program files\Auslogics
2010-02-09 23:09 . 2010-02-09 23:09 -------- d-----w- c:\program files\Apple Software Update
2010-02-09 23:09 . 2010-02-09 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-09 21:27 . 2010-02-09 21:27 -------- d-----w- c:\documents and settings\xxxxx xxxxx\Application Data\download
2010-02-08 18:38 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 15:01 . 2009-09-20 14:35 1 ----a-w- c:\documents and settings\xxxxx xxxxx\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-11 06:18 . 2006-09-24 10:13 61272 ----a-w- c:\documents and settings\xxxxx xxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 10:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 10:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 10:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 10:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-09-21 00:19 . 2006-09-26 04:14 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\Watcher\WaHelper.exe" [2009-04-20 53248]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-10-26 212992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-10 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\WinMX\\WinMX.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\NewTech Infosystems\\LiveUpdate\\LiveUpdate.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [09/02/2010 10:34 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/02/2010 11:00 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/02/2010 11:00 PM 360584]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [06/07/2004 5:06 PM 188416]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [09/02/2010 11:00 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [09/02/2010 11:00 PM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 10:52 AM 1229232]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [01/06/2004 12:41 PM 64000]
S1 mailKmd;mailKmd; [x]
S2 gupdate1c9a002cc2d197a;Google Update Service (gupdate1c9a002cc2d197a);c:\program files\Google\Update\GoogleUpdate.exe [08/03/2009 11:30 AM 133104]
S3 58b6ddfe-e76e-4479-9ef3-05967c687da4;58b6ddfe-e76e-4479-9ef3-05967c687da4;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [19/09/2006 9:52 AM 2343]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:34]

2010-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 16:30]

2010-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 16:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Connection Wizard,ShellNext = iexplore
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
FF - ProfilePath - c:\documents and settings\xxxxx xxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 17:18
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2976)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-07 17:21:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 22:21
ComboFix2.txt 2010-03-01 06:24
ComboFix3.txt 2010-02-23 07:35

Pre-Run: 1,730,658,304 bytes free
Post-Run: 1,794,899,968 bytes free

- - End Of File - - 86F6B431A301B7ED499783795A69C71B


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:14 AM

Posted 07 March 2010 - 05:59 PM

Great look like your main problem has been taken care of, please let me no if you are still getting redirected or have any other problems.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/299641/google-firefox-search-results-redirected-plus-cant-boot-into-safe-mode/

Collect::
c:\windows\8B216CB3F43B4C7BB30FE4111A7F37A7.TMP
c:\windows\winstart.bat
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
Driver::
mailKmd


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks

unite.jpg


#9 redirect hell

redirect hell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 07 March 2010 - 06:39 PM

As requested here's the latest Combofix log following your last request. Please let me kow when I should re-enable the anti-virus s/w as well as attempt a safe mode boot to see if it works. Also, let me know when to check if the browser redirects start to happen again.

When we are completed, please let me know how to go about submitting a donation. I think this service is great and the volunteers should be supported by everyone using their expert services!

ComboFix 10-03-07.02 - xxxxx xxxxxx 07/03/2010 18:13:07.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1471 [GMT -5:00]
Running from: c:\documents and settings\xxxxx xxxxxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\xxxxx xxxxxx\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mailKmd


((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-07 18:06 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-06 17:33 . 2009-12-12 14:15 178176 ----a-w- c:\windows\system32\unrar.dll
2010-03-06 15:07 . 2010-03-06 15:07 -------- d-----w- C:\Temp
2010-03-03 02:17 . 2010-03-03 02:17 -------- d-----w- c:\windows\8B216CB3F43B4C7BB30FE4111A7F37A7.TMP
2010-03-01 01:49 . 2010-03-01 01:49 -------- d-----w- c:\program files\UnHackMe
2010-02-24 03:51 . 2010-02-24 03:51 -------- d-----w- c:\documents and settings\xxxxx xxxxxx\Application Data\Malwarebytes
2010-02-24 03:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 03:51 . 2010-02-24 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 03:51 . 2010-02-24 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-24 03:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 08:40 . 2010-02-23 08:39 439808 ----a-w- c:\documents and settings\xxxxx xxxxxx\Application Data\ZoomBrowser EX\Desktop\TFC.exe
2010-02-23 08:38 . 2010-02-23 08:38 61440 ----a-w- c:\documents and settings\xxxxx xxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ea0652a-n\decora-sse.dll
2010-02-23 08:38 . 2010-02-23 08:38 12800 ----a-w- c:\documents and settings\xxxxx xxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ea0652a-n\decora-d3d.dll
2010-02-23 08:38 . 2010-02-23 08:38 503808 ----a-w- c:\documents and settings\xxxxx xxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79f20489-n\msvcp71.dll
2010-02-23 08:38 . 2010-02-23 08:38 499712 ----a-w- c:\documents and settings\xxxxx xxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79f20489-n\jmc.dll
2010-02-23 08:38 . 2010-02-23 08:38 348160 ----a-w- c:\documents and settings\xxxxx xxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79f20489-n\msvcr71.dll
2010-02-23 08:38 . 2010-02-23 08:38 -------- d-----w- c:\program files\Common Files\Java
2010-02-23 08:02 . 2010-02-23 08:02 -------- d-----w- c:\documents and settings\xxxxx xxxxxx\Application Data\AVG9
2010-02-19 02:35 . 2010-02-19 02:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-19 02:35 . 2010-02-19 02:35 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-02-19 02:35 . 2010-02-19 02:35 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-02-19 02:34 . 2010-02-19 02:35 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-02-19 02:34 . 2010-02-19 02:34 221408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2010-02-19 02:34 . 2010-02-19 02:34 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-02-19 02:34 . 2010-02-19 02:34 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-19 02:34 . 2010-02-19 02:34 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-19 02:32 . 2010-02-19 02:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-19 02:32 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-18 06:36 . 2010-02-18 06:36 318 ----a-w- c:\windows\system32\drivers\czkczisa.dat
2010-02-18 04:34 . 2010-02-18 04:34 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-14 08:03 . 2007-01-13 14:45 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-02-14 08:00 . 2010-02-14 08:00 -------- d-----w- C:\Intel
2010-02-14 07:53 . 2010-02-14 07:53 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-14 06:54 . 2004-10-15 15:20 1654784 ----a-w- c:\windows\system32\W29MLRES.dll
2010-02-14 06:44 . 2009-11-11 12:26 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-02-14 06:44 . 2009-11-11 12:26 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-02-10 08:31 . 2010-02-10 08:31 0 ----a-w- c:\windows\nsreg.dat
2010-02-10 08:31 . 2010-02-10 08:31 -------- d-----w- c:\documents and settings\xxxxx xxxxxx\Local Settings\Application Data\Mozilla
2010-02-10 08:11 . 2010-02-10 08:11 -------- d--h--w- c:\windows\ie8
2010-02-10 05:24 . 2010-02-10 05:24 -------- d-----w- C:\$AVG
2010-02-10 04:45 . 2010-02-10 04:00 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-10 04:45 . 2010-02-10 04:00 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-10 04:00 . 2010-02-10 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-10 04:00 . 2010-02-10 04:00 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 04:00 . 2010-02-10 04:00 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 04:00 . 2010-02-10 04:00 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-10 04:00 . 2010-02-10 04:00 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-10 04:00 . 2010-02-10 04:00 -------- d-----w- c:\program files\AVG
2010-02-10 04:00 . 2010-02-10 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-10 03:55 . 2010-02-10 03:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-10 03:43 . 2010-02-19 02:35 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-10 03:43 . 2010-02-19 02:35 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-10 03:43 . 2010-02-19 02:35 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-10 03:43 . 2010-02-19 02:34 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-10 03:43 . 2010-02-19 02:34 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-10 03:43 . 2010-02-19 02:34 390320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-10 03:43 . 2010-02-19 02:34 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-10 03:41 . 2010-02-19 02:34 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-10 03:41 . 2010-02-19 02:34 329048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-10 03:41 . 2010-02-19 02:34 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-10 03:40 . 2010-02-19 02:34 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-10 03:40 . 2010-02-10 03:40 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-10 03:40 . 2010-02-19 02:34 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-10 03:40 . 2010-02-19 02:34 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-10 03:40 . 2010-02-19 02:33 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-10 03:40 . 2010-02-19 02:33 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-10 03:40 . 2010-02-19 02:33 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-10 03:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-10 03:32 . 2010-02-10 03:32 -------- d-----w- c:\program files\Lavasoft
2010-02-10 03:32 . 2010-02-10 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-10 02:58 . 2010-02-10 02:58 -------- d-----w- c:\documents and settings\xxxxx xxxxxx\Application Data\Auslogics
2010-02-10 02:54 . 2010-02-10 02:54 -------- d-----w- c:\program files\Auslogics
2010-02-09 23:09 . 2010-02-09 23:09 -------- d-----w- c:\program files\Apple Software Update
2010-02-09 23:09 . 2010-02-09 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-09 21:27 . 2010-02-09 21:27 -------- d-----w- c:\documents and settings\xxxxx xxxxxx\Application Data\download
2010-02-08 18:38 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 15:01 . 2009-09-20 14:35 1 ----a-w- c:\documents and settings\xxxxx xxxxxx\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-11 06:18 . 2006-09-24 10:13 61272 ----a-w- c:\documents and settings\xxxxx xxxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 10:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 10:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 10:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 10:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-09-21 00:19 . 2006-09-26 04:14 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-07_22.18.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 23:18 . 2010-03-07 23:18 16384 c:\windows\temp\Perflib_Perfdata_a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\Watcher\WaHelper.exe" [2009-04-20 53248]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-10-26 212992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-10 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\WinMX\\WinMX.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\NewTech Infosystems\\LiveUpdate\\LiveUpdate.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [09/02/2010 10:34 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/02/2010 11:00 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/02/2010 11:00 PM 360584]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [06/07/2004 5:06 PM 188416]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [09/02/2010 11:00 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [09/02/2010 11:00 PM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 10:52 AM 1229232]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [01/06/2004 12:41 PM 64000]
S2 gupdate1c9a002cc2d197a;Google Update Service (gupdate1c9a002cc2d197a);c:\program files\Google\Update\GoogleUpdate.exe [08/03/2009 11:30 AM 133104]
S3 58b6ddfe-e76e-4479-9ef3-05967c687da4;58b6ddfe-e76e-4479-9ef3-05967c687da4;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [19/09/2006 9:52 AM 2343]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:34]

2010-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 16:30]

2010-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 16:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Connection Wizard,ShellNext = iexplore
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
FF - ProfilePath - c:\documents and settings\xxxxx xxxxxx\Application Data\Mozilla\Firefox\Profiles\c7tmfqev.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 18:19
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-07 18:22:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 23:22
ComboFix2.txt 2010-03-07 22:21
ComboFix3.txt 2010-03-01 06:24
ComboFix4.txt 2010-02-23 07:35

Pre-Run: 1,806,434,304 bytes free
Post-Run: 1,764,016,128 bytes free

- - End Of File - - 1C7E93B913ADE60CD2AFD0CA3684CEAD
Upload was successful




#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:14 AM

Posted 07 March 2010 - 06:52 PM

Your AntiVirus should only of been disabled whilst the tool were running apart from that it should be enabled at all times. You should
check safe mode, your browser and your computer in general to see how it's running, so that you can inform me of any issues before
we finish up.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):



Please run a BitDefender Online Scan

Note: Only works with internet explorer
  • Click on the Start Scanner button.
  • Check I Agree to agree to the EULA, then click start here.
  • Allow the ActiveX control to install when prompted.
  • Click Start scan to begin scanning.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on more details, then click the detected problems tab and click, click here to export the scan report.
  • Save the report to your desktop as results.txt and post it in your next reply.
Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • Bitdefender report
  • New DDS log
Thanks

Edited by syler, 07 March 2010 - 06:53 PM.

unite.jpg


#11 redirect hell

redirect hell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 08 March 2010 - 01:44 AM

Hi Syler. I struggled with this for weeks and could not resolve it. I would have saved so much time if I had known about this service initially. You guided me through this process in very short order, to complete resolution, and with obvious skill that is beyond the do it yourselfer.

Thanks so much for the help and expertise. I appreciate it very much! I will be following up with a donation.

I am now able to boot into safe mode and the redirects appear to be gone.

As requested attached are the requested logs. Please let me know if there is anythig further you require me to do.


Cheers,
Saved From Redirect Hell


BitDefender Online Scanner

Scan report generated at: Sun, Mar 07, 2010 - 23:17:29


Scan path: C:\;D:\;E:\;

Statistics

Time 01:09:08
Files 253203
Folders 7281
Boot Sectors 0
Archives 10510
Packed Files 8211

Results

Identified Viruses 0
Infected Files 0
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 0

Engines Info

Virus Definitions 5380924
Engine build AVCORE v2.1 Windows/i386 11.0.0.33 (Jan 06 2010)
Scan plugins 17
Archive plugins 44
Unpack plugins 8
E-mail plugins 6
System plugins 4

Scan Settings

First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions

Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File
Status No virus found.



DDS (Ver_09-12-01.01) - FAT32x86
Run by xxxxx xxxxxx at 20:46:46.82 on 07/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1334 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\xxxxx xxxxxx\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\watcher\WaHelper.exe"
mRun: [CtrlVol] "c:\program files\launch manager\CtrlVol.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [epm-dm] c:\acer\epm\epm-dm.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xxxxxx~1\applic~1\mozilla\firefox\profiles\c7tmfqev.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-9 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-9 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-9 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-9 360584]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-7-6 188416]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-9 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-9 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-6-1 64000]
S2 gupdate1c9a002cc2d197a;Google Update Service (gupdate1c9a002cc2d197a);c:\program files\google\update\GoogleUpdate.exe [2009-3-8 133104]
S3 58b6ddfe-e76e-4479-9ef3-05967c687da4;58b6ddfe-e76e-4479-9ef3-05967c687da4;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-9-19 2343]

=============== Created Last 30 ================

2010-03-08 01:41:50 0 d-sh--w- C:\Recycled
2010-03-07 18:06:48 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-06 17:33:05 178176 ----a-w- c:\windows\system32\unrar.dll
2010-03-06 15:07:31 0 d-----w- C:\Temp
2010-03-01 06:15:57 98816 ----a-w- c:\windows\sed.exe
2010-03-01 06:15:57 77312 ----a-w- c:\windows\MBR.exe
2010-03-01 06:15:57 261632 ----a-w- c:\windows\PEV.exe
2010-03-01 06:15:57 161792 ----a-w- c:\windows\SWREG.exe
2010-03-01 01:49:21 0 d-----w- c:\program files\UnHackMe
2010-02-28 20:22:56 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-02-28 20:22:56 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-02-24 03:51:28 0 d-----w- c:\docume~1\xxxxxx~1\applic~1\Malwarebytes
2010-02-24 03:51:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 03:51:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 03:51:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 03:51:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-23 08:37:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-23 08:02:28 0 d-----w- c:\docume~1\xxxxxx~1\applic~1\AVG9
2010-02-23 07:16:46 0 d-sha-r- C:\cmdcons
2010-02-19 02:35:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-19 02:32:37 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-18 06:36:15 318 ----a-w- c:\windows\system32\drivers\czkczisa.dat
2010-02-14 08:03:55 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-02-14 08:00:09 0 d-----w- C:\Intel
2010-02-14 07:53:04 0 d-----w- c:\program files\SystemRequirementsLab
2010-02-14 06:54:01 1654784 ----a-w- c:\windows\system32\W29MLRES.dll
2010-02-14 06:44:24 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-02-14 06:44:24 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-02-10 08:11:21 0 d--h--w- c:\windows\ie8
2010-02-10 05:24:19 0 d-----w- C:\$AVG
2010-02-10 04:00:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-10 04:00:43 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 04:00:29 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 04:00:24 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-10 04:00:18 0 d-----w- c:\program files\AVG
2010-02-10 04:00:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-10 03:55:24 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-10 03:34:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-10 03:32:15 0 d-----w- c:\program files\Lavasoft
2010-02-10 02:58:06 0 d-----w- c:\docume~1xxxxxxx-~\applic~1\Auslogics
2010-02-10 02:54:41 0 d-----w- c:\program files\Auslogics
2010-02-09 21:33:00 127 ----a-w- c:\windows\system32\MRT.INI
2010-02-09 21:27:31 0 d-----w- c:\docume~1\xxxxxx~1\applic~1\download
2010-02-09 21:12:56 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-09 21:12:56 1409 ----a-w- c:\windows\QTFont.for
2010-02-08 18:38:29 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-31 16:50:04 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:28 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:28 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:24 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:24 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:52 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-21 00:19:24 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-01-11 01:44:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011020090111\index.dat
2009-10-17 18:16:04 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 20:48:00.06 ===============







#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:14 AM

Posted 08 March 2010 - 01:53 AM

Hi Redirect Hell,

You're very welcome, im glad I could help. Your logs look fine to me now smile.gif

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:14 AM

Posted 10 March 2010 - 03:44 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users