Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bleeping Google-yahoo redirect virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Metsfan61

Metsfan61

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 27 May 2010 - 05:42 PM

Tried everything and this stupid redirect keeps on tickin!

Here is my DDS log


DDS (Ver_10-03-17.01) - NTFSx86
Run by BILL at 13:45:38.79 on Thu 05/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.101 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\BILL.WILLIAM-7D47F85\Desktop\dd.exe

============== Pseudo HJT Report ===============

uStart Page = file:///G:/MY%20DOCS/WEBSITES/My%20Bookmarks.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bill~1.wil\applic~1\mozilla\firefox\profiles\8qc69h49.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - file:///G:/MY%20DOCS/WEBSITES/My%20Bookmarks.htm
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2010-4-18 50176]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2007-8-29 116264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-4 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-4 242896]
R1 eddd;eddd;c:\windows\system32\eddd.sys [2010-4-20 75264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 68168]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-4 308064]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-30 38224]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\bill.william-7d47f85\my documents\downloads\software\tdl3 razor\tdl3 razor\tizerbruteforceex.sys --> c:\documents and settings\bill.william-7d47f85\my documents\downloads\software\tdl3 razor\tdl3 razor\TizerBruteForceEx.sys [?]
S2 MSDTCTermService;Distributed Transaction Coordinator MSDTCTermService;c:\windows\system32\abalezipj.exe srv --> c:\windows\system32\AbaleZipj.exe srv [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\nsak.sys --> c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\nsak.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-05-25 23:28:04 0 d--h--w- c:\docume~1\alluse~1.win\applic~1\CanonIJSolutionMenu
2010-05-25 17:19:50 58 ----a-w- c:\windows\mchguid.ini
2010-05-25 17:16:39 0 d-----w- c:\program files\Microsoft WSE
2010-05-25 17:15:40 1064960 ----a-w- c:\windows\system32\acXMLParser.dll
2010-05-25 17:15:39 1064960 ----a-w- c:\windows\system32\cdintf300.dll
2010-05-25 17:14:47 0 d-----w- C:\PNTDATA
2010-05-25 17:14:42 0 d-----w- C:\WINPOINT
2010-05-25 17:14:42 0 d-----w- C:\PNTTEMPL
2010-05-25 17:14:40 896 ----a-w- c:\windows\winpoint.ini
2010-05-10 03:54:41 0 d-----w- C:\CRUNCHFOOL4251C
2010-05-10 03:27:06 0 d-----w- C:\CRUNCHFOOL
2010-05-09 16:51:10 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-07 18:46:31 0 d-----w- c:\program files\Graboid
2010-05-07 13:08:45 0 d-----w- c:\docume~1\alluse~1.win\applic~1\BirdFeeder
2010-05-07 01:14:08 98304 ----a-w- c:\windows\system32\CNQ4807I.DLL
2010-05-07 01:14:08 598016 ----a-w- c:\windows\system32\CNQ4807L.DLL
2010-05-07 01:14:08 188416 ----a-w- c:\windows\system32\CNQ4807O.DLL
2010-05-07 01:14:07 1339392 ----a-w- c:\windows\system32\CNQ4807C.DLL
2010-05-04 23:40:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-04 23:09:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-04 23:09:05 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-04 23:08:39 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-04 23:08:05 0 d-----w- c:\docume~1\alluse~1.win\applic~1\avg9
2010-05-04 21:01:45 0 d-----w- C:\SDFix
2010-05-04 04:23:25 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Nero
2010-05-04 03:10:33 0 ----a-w- c:\documents and settings\bill.william-7d47f85\commonpriv.log.lock
2010-05-03 16:22:49 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2010-05-03 02:52:39 0 d-----w- c:\program files\Microsoft
2010-05-03 02:37:28 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-04-20 21:38:47 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-20 16:14:00 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-20 14:45:38 75264 ----a-w- c:\windows\system32\eddd.sys
2010-04-18 23:52:01 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-18 23:44:54 95360 ----a-w- c:\windows\system32\drivers\tsk36.tmp
2010-04-16 14:26:56 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-03 05:42:03 1864003 --sha-w- c:\windows\system32\acluim.sys
2010-04-03 05:41:59 105437 ----a-w- c:\windows\system32\1031s.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-03 04:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-02-17 15:53:10 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 13:46:28.91 ===============


Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 28 May 2010 - 02:59 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 31 May 2010 - 02:39 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Metsfan61

Metsfan61
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 02 June 2010 - 07:59 PM

Yes I need help Here is my combofix log as requested. Still have the redirects. No change.



ComboFix 10-06-01.03 - BILL 06/02/2010 7:27.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.246 [GMT -4:00]
Running from: c:\documents and settings\BILL.WILLIAM-7D47F85\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-01 19:13 . 2010-06-01 19:13 -------- d-----w- c:\program files\NOS
2010-06-01 19:13 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Mozilla\Firefox\Profiles\8qc69h49.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-06-01 19:13 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Mozilla\Firefox\Profiles\8qc69h49.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-05-29 20:28 . 1993-07-23 03:00 210944 ------w- c:\windows\system32\Msvcrt10.dll
2010-05-29 20:27 . 2001-03-15 09:18 20584 ------w- c:\windows\system32\PdfPorts.dll
2010-05-29 20:27 . 2001-03-15 09:18 65536 ------w- c:\windows\system32\adistres.dll
2010-05-29 20:27 . 2001-03-15 08:55 101200 ------w- c:\windows\system32\pdfshell.dll
2010-05-29 20:25 . 2010-05-29 20:25 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\InterTrust
2010-05-29 19:52 . 2010-05-29 20:38 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\FileZilla
2010-05-29 19:52 . 2010-05-29 19:52 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-25 23:28 . 2010-05-25 23:28 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJSolutionMenu
2010-05-25 17:16 . 2007-07-11 16:05 91136 ----a-w- c:\windows\system32\saxcom32.dll
2010-05-25 17:16 . 2007-07-11 16:05 45568 ----a-w- c:\windows\system32\saxxfr32.dll
2010-05-25 17:16 . 2007-07-11 16:05 137 ----a-w- c:\windows\system32\ini.bat
2010-05-25 17:16 . 2007-07-11 16:05 135680 ----a-w- c:\windows\system32\escli32.dll
2010-05-25 17:16 . 2007-07-11 16:05 172032 ----a-w- c:\windows\system32\SAXFile.dll
2010-05-25 17:16 . 2010-05-25 17:16 143 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\fusioncache.dat
2010-05-25 17:16 . 2010-05-25 17:16 10134 ----a-r- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Microsoft\Installer\{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}\ARPPRODUCTICON.exe
2010-05-25 17:16 . 2010-05-25 17:16 -------- d-----w- c:\program files\Microsoft WSE
2010-05-25 17:16 . 2010-05-26 06:01 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\ApplicationHistory
2010-05-25 17:15 . 2007-07-11 16:04 1064960 ----a-w- c:\windows\system32\acXMLParser.dll
2010-05-25 17:15 . 2007-07-11 16:04 1064960 ----a-w- c:\windows\system32\cdintf300.dll
2010-05-25 17:14 . 2010-05-25 17:17 -------- d-----w- C:\PNTDATA
2010-05-25 17:14 . 2010-05-25 17:17 -------- d-----w- C:\WINPOINT
2010-05-25 17:14 . 2010-05-25 17:17 -------- d-----w- C:\PNTTEMPL
2010-05-22 00:48 . 2010-05-22 00:48 503808 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ea748be-n\msvcp71.dll
2010-05-22 00:48 . 2010-05-22 00:48 499712 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ea748be-n\jmc.dll
2010-05-22 00:48 . 2010-05-22 00:48 12800 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24cedf1e-n\decora-d3d.dll
2010-05-22 00:48 . 2010-05-22 00:48 61440 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24cedf1e-n\decora-sse.dll
2010-05-22 00:48 . 2010-05-22 00:48 348160 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ea748be-n\msvcr71.dll
2010-05-09 16:51 . 2010-05-09 23:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-07 19:07 . 2010-06-02 05:30 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\vlc
2010-05-07 18:46 . 2010-05-07 18:48 -------- d-----w- c:\program files\Graboid
2010-05-07 13:08 . 2010-05-07 13:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BirdFeeder
2010-05-07 13:07 . 2010-05-07 13:07 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\Pacesys_Software
2010-05-07 13:07 . 2010-05-07 18:29 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\BirdFeeder
2010-05-07 13:07 . 2010-05-07 13:07 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\SkinSoft
2010-05-07 01:14 . 2010-05-07 01:14 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2010-05-07 01:14 . 2008-04-18 13:51 598016 ----a-w- c:\windows\system32\CNQ4807L.DLL
2010-05-07 01:14 . 2008-04-07 14:58 98304 ----a-w- c:\windows\system32\CNQ4807I.DLL
2010-05-07 01:14 . 2007-03-15 14:12 188416 ----a-w- c:\windows\system32\CNQ4807O.DLL
2010-05-07 01:14 . 2008-04-07 14:58 1339392 ----a-w- c:\windows\system32\CNQ4807C.DLL
2010-05-07 01:14 . 2010-05-07 01:14 -------- d--h--w- c:\program files\CanonBJ
2010-05-04 23:40 . 2010-05-04 23:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-04 23:09 . 2010-05-04 23:40 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-04 23:09 . 2010-05-04 23:40 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-04 23:09 . 2010-05-04 23:40 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-04 23:08 . 2010-06-01 21:44 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-04 23:08 . 2010-05-04 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2010-05-04 21:01 . 2008-11-06 06:03 -------- d-----w- C:\SDFix
2010-05-04 20:45 . 2010-05-04 20:45 63488 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 04:23 . 2010-05-04 04:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2010-05-04 04:13 . 2010-05-04 04:13 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Adobe
2010-05-04 04:08 . 2010-05-04 04:08 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-04 04:05 . 2010-06-01 19:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 11:18 . 2010-01-30 20:27 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\BitTorrent
2010-06-02 08:09 . 2010-04-23 14:09 0 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\prvlcl.dat
2010-06-01 04:28 . 2010-04-25 13:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJPLM
2010-05-31 12:44 . 2010-01-30 21:13 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Vso
2010-05-27 23:23 . 2010-04-25 13:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJ
2010-05-26 23:36 . 2010-01-30 13:35 -------- d-----w- c:\program files\exPressit S.E. 2.1
2010-05-25 23:23 . 2009-09-23 19:34 -------- d-----w- c:\program files\Canon
2010-05-25 17:20 . 2010-01-30 04:18 88600 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 17:14 . 2009-09-23 19:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-25 11:13 . 2010-04-14 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-05-10 03:21 . 2010-04-14 02:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-07 01:15 . 2010-04-25 13:47 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJScan
2010-05-07 01:15 . 2010-04-14 13:38 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Canon
2010-05-04 20:45 . 2010-04-14 02:24 117760 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-03 16:17 . 2010-05-03 02:52 -------- d-----w- c:\program files\Microsoft
2010-05-03 03:34 . 2010-03-22 15:29 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\playitall
2010-05-03 02:37 . 2010-04-14 22:52 -------- d-----w- c:\program files\Java
2010-04-30 01:59 . 2009-09-12 05:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2010-01-30 06:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-30 06:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 14:28 . 2009-09-17 20:51 -------- d-----w- c:\program files\Yahoo!
2010-04-27 05:25 . 2009-09-13 05:12 -------- d-----w- c:\program files\CCleaner
2010-04-25 13:31 . 2009-09-23 19:32 -------- d-----w- c:\program files\ArcSoft
2010-04-25 13:30 . 2010-04-25 13:30 -------- d-----w- c:\program files\Common Files\CANON
2010-04-23 17:36 . 2010-04-23 17:18 -------- d-----w- c:\program files\DVDFab 7
2010-04-23 01:08 . 2010-01-30 03:36 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-22 23:53 . 2010-04-20 11:53 -------- d-----w- c:\program files\MagicISO
2010-04-20 21:38 . 2010-04-16 14:02 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-20 16:14 . 2010-01-30 03:33 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-20 14:45 . 2010-04-20 14:45 75264 ----a-w- c:\windows\system32\eddd.sys
2010-04-20 11:46 . 2010-02-12 13:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 23:52 . 2010-04-18 23:42 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-18 23:44 . 2010-04-17 17:49 95360 ----a-w- c:\windows\system32\drivers\tsk36.tmp
2010-04-17 17:56 . 2010-04-17 17:56 -------- d-----w- c:\documents and settings\AMY.WILLIAM-7D47F85\Application Data\Yahoo!
2010-04-16 14:26 . 2010-04-16 14:26 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-16 14:26 . 2010-04-16 14:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hitman Pro
2010-04-16 14:01 . 2010-04-16 14:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-14 23:38 . 2010-02-01 04:20 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Yahoo!
2010-04-14 22:57 . 2010-04-14 22:57 -------- d-----w- c:\program files\Common Files\Java
2010-04-14 22:56 . 2010-04-14 22:56 -------- d-----w- c:\program files\Sun
2010-04-14 22:45 . 2010-02-17 14:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-04-14 02:24 . 2010-04-14 02:24 52224 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-14 02:23 . 2010-04-14 02:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-04-14 02:19 . 2010-04-14 02:19 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com
2010-04-14 02:18 . 2010-01-13 07:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 21:29 . 2010-05-03 02:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-12 12:38 . 2010-01-30 07:26 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\AdobeUM
2010-04-12 11:51 . 2009-09-13 02:35 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-12 00:39 . 2010-04-11 23:47 -------- d-----w- c:\program files\Google
2010-04-06 18:00 . 2010-04-06 18:00 3108544 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Downloads\HRBlockNJ.exe
2010-04-06 14:53 . 2010-04-06 14:52 21180296 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Update\US30026901cupd.exe
2010-04-06 14:50 . 2010-04-06 14:50 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\TaxCut
2010-04-06 14:24 . 2010-04-06 14:20 -------- d-----w- c:\program files\HRBlock2009
2010-04-06 14:21 . 2010-04-06 14:20 -------- d-----w- c:\program files\PDF995
2010-04-06 14:08 . 2010-04-06 14:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut
2010-04-03 05:42 . 2010-04-02 18:54 1864003 --sha-w- c:\windows\system32\acluim.sys
2010-04-03 05:41 . 2010-04-02 18:54 105437 ----a-w- c:\windows\system32\1031s.sys
2010-03-22 18:59 . 2010-03-22 18:59 56766 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-03-22 18:59 . 2010-03-22 18:59 56978 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-03-22 18:59 . 2010-03-22 18:59 53600 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Update\Uninstaller.exe
2010-03-22 18:59 . 2010-03-22 18:59 57676 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Player\Uninstaller.exe
2010-03-22 18:58 . 2010-03-22 18:58 84035 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 57054 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54166 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 57532 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 56458 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54174 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54153 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54128 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Converter\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54629 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54101 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 57409 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 52963 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-22 18:56 . 2010-03-22 18:56 54073 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-22 18:56 . 2010-03-22 18:56 56969 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-03-22 18:55 . 2010-03-22 18:59 754984 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Setup\Resource.dll
2010-03-12 22:19 . 2010-03-22 18:59 986904 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Setup\DivXSetup.exe
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 01:13 . 2010-03-09 01:13 291 ----a-w- c:\windows\EReg072.dat
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-06 02:36 . 2010-03-06 02:36 494 ----a-w- c:\windows\eReg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Uninstall Adobe Download Manager"="c:\program files\NOS\bin\getPlus_Helper.dll" [2010-03-29 68000]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-9-12 49254]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-04 23:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-07 15:40 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-03-11 01:20 689488 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-12 22:02 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-07-30 14:41 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-16 01:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-10 03:21 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dumprep.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"g:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [4/18/2010 7:42 PM 50176]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/4/2010 7:09 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/4/2010 7:09 PM 242896]
R1 eddd;eddd;c:\windows\system32\eddd.sys [4/20/2010 10:45 AM 75264]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 68168]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/4/2010 7:40 PM 308064]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\BILL.WILLIAM-7D47F85\My Documents\Downloads\software\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\BILL.WILLIAM-7D47F85\My Documents\Downloads\software\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys [?]
S2 MSDTCTermService;Distributed Transaction Coordinator MSDTCTermService;c:\windows\system32\AbaleZipj.exe srv --> c:\windows\system32\AbaleZipj.exe srv [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\nsak.sys --> c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\nsak.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GETPLUSHELPER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-07-30 14:39 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = file:///G:/MY%20DOCS/WEBSITES/My%20Bookmarks.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Mozilla\Firefox\Profiles\8qc69h49.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - file:///G:/MY%20DOCS/WEBSITES/My%20Bookmarks.htm
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Mozilla\Firefox\Profiles\8qc69h49.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.txt=txt_auto_file
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 07:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-02 07:40:22
ComboFix-quarantined-files.txt 2010-06-02 11:40

Pre-Run: 8,478,191,616 bytes free
Post-Run: 8,451,248,128 bytes free

- - End Of File - - A18BBC366654E02FD7B032D05741FFB6


Still have the redirects. No change.


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 02 June 2010 - 08:39 PM


Greetings

Did you run combofix ten times if so when?


Here is what we need to do next


TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply
Gringo_pr

Edited by gringo_pr, 02 June 2010 - 08:40 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Metsfan61

Metsfan61
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 03 June 2010 - 01:45 AM

Here is the TDSS Kiler log
I don't know how many times I tried combofix or when.


02:41:21:359 0428 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
02:41:21:359 0428 ================================================================================
02:41:21:359 0428 SystemInfo:

02:41:21:359 0428 OS Version: 5.1.2600 ServicePack: 3.0
02:41:21:359 0428 Product type: Workstation
02:41:21:359 0428 ComputerName: WILLIAM-7D47F85
02:41:21:359 0428 UserName: BILL
02:41:21:359 0428 Windows directory: C:\WINDOWS
02:41:21:359 0428 Processor architecture: Intel x86
02:41:21:359 0428 Number of processors: 1
02:41:21:359 0428 Page size: 0x1000
02:41:21:359 0428 Boot type: Normal boot
02:41:21:359 0428 ================================================================================
02:41:23:187 0428 Initialize success
02:41:23:187 0428
02:41:23:187 0428 Scanning Services ...
02:41:23:640 0428 Raw services enum returned 355 services
02:41:23:656 0428
02:41:23:656 0428 Scanning Drivers ...
02:41:24:375 0428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
02:41:24:484 0428 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
02:41:24:765 0428 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
02:41:24:875 0428 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
02:41:25:281 0428 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
02:41:25:703 0428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
02:41:26:015 0428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
02:41:26:140 0428 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
02:41:26:546 0428 atinrvxx (a7a01b907db63898d40b0a14248ff9a2) C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
02:41:26:812 0428 ATITUNEP (edd66332608d27f4fd5069bcd0bc5164) C:\WINDOWS\system32\DRIVERS\atintuxx.sys
02:41:27:515 0428 ativraxx (da36687d701c833430605a298731410b) C:\WINDOWS\system32\DRIVERS\atinraxx.sys
02:41:27:812 0428 ATIXSAudio (77b575d7aab35d5908ae6ce681608d62) C:\WINDOWS\system32\DRIVERS\atinxsxx.sys
02:41:28:093 0428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
02:41:28:437 0428 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
02:41:28:656 0428 AvgLdx86 (9c0a7e6d3cb9a8a7ad4e4575d9a42e94) C:\WINDOWS\System32\Drivers\avgldx86.sys
02:41:28:796 0428 AvgMfx86 (f9caeec3ff1545991f490264429724c5) C:\WINDOWS\System32\Drivers\avgmfx86.sys
02:41:28:921 0428 AvgTdiX (cf9ac576490bb6c547cd16ef0b782358) C:\WINDOWS\System32\Drivers\avgtdix.sys
02:41:29:062 0428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
02:41:29:484 0428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
02:41:29:734 0428 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
02:41:30:078 0428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
02:41:30:343 0428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
02:41:30:593 0428 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
02:41:31:031 0428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
02:41:31:406 0428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
02:41:31:734 0428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
02:41:32:015 0428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
02:41:32:281 0428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
02:41:32:406 0428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
02:41:32:500 0428 eddd (84e3616024c57c8c49d5810c5e8df09d) C:\WINDOWS\system32\eddd.sys
02:41:32:625 0428 Suspicious file (NoAccess): C:\WINDOWS\system32\eddd.sys. md5: 84e3616024c57c8c49d5810c5e8df09d
02:41:32:734 0428 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
02:41:32:968 0428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
02:41:33:171 0428 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
02:41:33:546 0428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
02:41:33:828 0428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
02:41:34:078 0428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
02:41:34:359 0428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
02:41:34:578 0428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
02:41:34:953 0428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
02:41:35:218 0428 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
02:41:35:468 0428 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
02:41:35:703 0428 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
02:41:35:968 0428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
02:41:36:140 0428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
02:41:36:406 0428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
02:41:36:703 0428 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
02:41:37:000 0428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
02:41:37:281 0428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
02:41:37:531 0428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
02:41:37:609 0428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
02:41:37:890 0428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
02:41:38:156 0428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
02:41:38:406 0428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
02:41:38:875 0428 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
02:41:38:984 0428 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
02:41:39:062 0428 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
02:41:39:390 0428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
02:41:39:625 0428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
02:41:39:671 0428 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
02:41:39:937 0428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
02:41:40:203 0428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
02:41:40:515 0428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
02:41:40:625 0428 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
02:41:41:031 0428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
02:41:41:328 0428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
02:41:41:593 0428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
02:41:41:828 0428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
02:41:42:046 0428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
02:41:42:156 0428 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
02:41:42:406 0428 Mtlmnt5 (c53775780148884ac87c455489a0c070) C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
02:41:42:781 0428 Mtlstrm (54886a652bf5685192141df304e923fd) C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
02:41:43:203 0428 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
02:41:43:484 0428 MVDCODEC (ed4c2bf8403f4437987c0ba09cf48716) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
02:41:43:765 0428 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
02:41:44:000 0428 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
02:41:44:265 0428 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
02:41:44:671 0428 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
02:41:44:906 0428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
02:41:45:046 0428 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
02:41:45:281 0428 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
02:41:45:531 0428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
02:41:45:781 0428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
02:41:46:187 0428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
02:41:46:656 0428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
02:41:46:937 0428 NtMtlFax (576b34ceae5b7e5d9fd2775e93b3db53) C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
02:41:47:156 0428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
02:41:47:406 0428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
02:41:47:656 0428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
02:41:47:890 0428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
02:41:48:109 0428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
02:41:48:359 0428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
02:41:48:468 0428 PCDCODEC (e90ac2b14e98f1a4372e5891b4278784) C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
02:41:48:718 0428 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
02:41:49:093 0428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
02:41:49:359 0428 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
02:41:49:781 0428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
02:41:49:953 0428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
02:41:50:218 0428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
02:41:50:421 0428 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
02:41:50:609 0428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
02:41:50:812 0428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
02:41:51:015 0428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
02:41:51:234 0428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
02:41:51:468 0428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
02:41:51:750 0428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
02:41:52:000 0428 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
02:41:52:234 0428 RecAgent (e9aaa0092d74a9d371659c4c38882e12) C:\WINDOWS\system32\DRIVERS\RecAgent.sys
02:41:52:406 0428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
02:41:52:656 0428 rk_remover-boot (084bedb5719fefe4e957dd16f06ee5a3) C:\WINDOWS\system32\drivers\rk_remover.sys
02:41:52:921 0428 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
02:41:53:234 0428 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
02:41:53:484 0428 SASKUTIL (4fd72291a89793049104ca0a7e353cd4) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
02:41:53:812 0428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
02:41:53:921 0428 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
02:41:54:125 0428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
02:41:54:328 0428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
02:41:54:546 0428 SI3112r (3da2f680bfc8e92a535cea5a5d80ac37) C:\WINDOWS\system32\DRIVERS\SI3112r.sys
02:41:54:578 0428 SiFilter (d893aa1d1ee007b7ab1b16e1099e9f17) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
02:41:54:656 0428 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
02:41:54:921 0428 Slntamr (2c1779c0feb1f4a6033600305eba623a) C:\WINDOWS\system32\DRIVERS\slntamr.sys
02:41:55:171 0428 SlNtHal (f9b8e30e82ee95cf3e1d3e495599b99c) C:\WINDOWS\system32\DRIVERS\Slnthal.sys
02:41:55:437 0428 SlWdmSup (db56bb2c55723815cf549d7fc50cfceb) C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
02:41:55:703 0428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
02:41:55:796 0428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
02:41:56:078 0428 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
02:41:56:187 0428 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
02:41:56:406 0428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
02:41:56:609 0428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
02:41:56:781 0428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
02:41:56:859 0428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
02:41:57:218 0428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
02:41:57:437 0428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
02:41:57:656 0428 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
02:41:57:906 0428 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
02:41:58:171 0428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
02:41:58:546 0428 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
02:41:58:859 0428 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
02:41:59:125 0428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
02:41:59:375 0428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
02:41:59:625 0428 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
02:41:59:875 0428 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
02:42:00:125 0428 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
02:42:00:343 0428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
02:42:00:593 0428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
02:42:00:906 0428 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
02:42:01:187 0428 VIAudio (5e02b47671ec147251ab5487d039474d) C:\WINDOWS\system32\drivers\vinyl97.sys
02:42:01:265 0428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
02:42:01:468 0428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
02:42:01:734 0428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
02:42:01:796 0428 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
02:42:02:031 0428 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
02:42:02:234 0428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
02:42:02:484 0428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
02:42:02:609 0428
02:42:02:609 0428 Completed
02:42:02:625 0428
02:42:02:625 0428 Results:
02:42:02:625 0428 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
02:42:02:625 0428 File objects infected / cured / cured on reboot: 0 / 0 / 0
02:42:02:625 0428
02:42:02:625 0428 KLMD(ARK) unloaded successfully


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 03 June 2010 - 01:50 AM

What about the redirects?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Metsfan61

Metsfan61
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 03 June 2010 - 02:35 PM

Still just as bad as ever. I get redirected from Google and yahoo. I usually have to cut the url and paste it in the adress bar and even then it redirects sometimes. This really stinks.


Combofix fixed nothing
TD Killer killed nothing

I have tried everything i can think of and can't get rid of this sucker!!!! Hope You have some other ideas Gringo!

Edited by Metsfan61, 03 June 2010 - 02:39 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 03 June 2010 - 03:45 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\eddd.sys
c:\windows\system32\acluim.sys
c:\windows\system32\1031s.sys
c:\windows\system32\AbaleZipj.exe srv
c:\windows\system32\AbaleZipj.exe

Driver::
eddd
MSDTCTermService


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Metsfan61

Metsfan61
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 05 June 2010 - 06:01 AM

In your next post I need the following

1. report from Combofix
2. let me know of any problems you may have had
3. How is the computer doing now after running the script?

_____________________________________________

When I put the script into the combofix it ran the program but combofix said there was a new version so I said install, and the combofix froze just before the logfile came up. So I put the script in again and this time it ran through to the end. The redirect appears to be gone. Here is the report:


ComboFix 10-06-03.01 - BILL 06/05/2010 6:37.12.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.164 [GMT -4:00]
Running from: c:\documents and settings\BILL.WILLIAM-7D47F85\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\BILL.WILLIAM-7D47F85\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\1031s.sys"
"c:\windows\system32\AbaleZipj.exe srv"
"c:\windows\system32\AbaleZipj.exe"
"c:\windows\system32\acluim.sys"
"c:\windows\system32\eddd.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\1031s.sys
c:\windows\system32\acluim.sys
c:\windows\system32\eddd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EDDD
-------\Legacy_MSDTCTERMSERVICE
-------\Service_eddd
-------\Service_MSDTCTermService


((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-03 19:49 . 2010-06-03 19:49 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Petroglyph
2010-06-03 19:47 . 2010-06-03 19:47 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-03 19:47 . 2010-06-03 19:47 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\LucasArts
2010-06-03 19:29 . 2010-06-03 19:29 -------- d-----w- c:\program files\LucasArts
2010-05-29 20:28 . 1993-07-23 03:00 210944 ------w- c:\windows\system32\Msvcrt10.dll
2010-05-29 20:27 . 2001-03-15 09:18 20584 ------w- c:\windows\system32\PdfPorts.dll
2010-05-29 20:27 . 2001-03-15 09:18 65536 ------w- c:\windows\system32\adistres.dll
2010-05-29 20:27 . 2001-03-15 08:55 101200 ------w- c:\windows\system32\pdfshell.dll
2010-05-29 20:25 . 2010-05-29 20:25 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\InterTrust
2010-05-29 19:52 . 2010-05-29 20:38 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\FileZilla
2010-05-29 19:52 . 2010-05-29 19:52 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-25 23:28 . 2010-05-25 23:28 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJSolutionMenu
2010-05-25 17:16 . 2007-07-11 16:05 91136 ----a-w- c:\windows\system32\saxcom32.dll
2010-05-25 17:16 . 2007-07-11 16:05 45568 ----a-w- c:\windows\system32\saxxfr32.dll
2010-05-25 17:16 . 2007-07-11 16:05 137 ----a-w- c:\windows\system32\ini.bat
2010-05-25 17:16 . 2007-07-11 16:05 135680 ----a-w- c:\windows\system32\escli32.dll
2010-05-25 17:16 . 2007-07-11 16:05 172032 ----a-w- c:\windows\system32\SAXFile.dll
2010-05-25 17:16 . 2010-05-25 17:16 143 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\fusioncache.dat
2010-05-25 17:16 . 2010-05-25 17:16 -------- d-----w- c:\program files\Microsoft WSE
2010-05-25 17:16 . 2010-05-26 06:01 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\ApplicationHistory
2010-05-25 17:15 . 2007-07-11 16:04 1064960 ----a-w- c:\windows\system32\acXMLParser.dll
2010-05-25 17:15 . 2007-07-11 16:04 1064960 ----a-w- c:\windows\system32\cdintf300.dll
2010-05-25 17:14 . 2010-05-25 17:17 -------- d-----w- C:\PNTDATA
2010-05-25 17:14 . 2010-05-25 17:17 -------- d-----w- C:\WINPOINT
2010-05-25 17:14 . 2010-05-25 17:17 -------- d-----w- C:\PNTTEMPL
2010-05-09 16:51 . 2010-05-09 23:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-07 19:07 . 2010-06-05 03:08 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\vlc
2010-05-07 18:46 . 2010-05-07 18:48 -------- d-----w- c:\program files\Graboid
2010-05-07 13:08 . 2010-05-07 13:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BirdFeeder
2010-05-07 13:07 . 2010-05-07 13:07 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\Pacesys_Software
2010-05-07 13:07 . 2010-05-07 18:29 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\BirdFeeder
2010-05-07 13:07 . 2010-05-07 13:07 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\SkinSoft
2010-05-07 01:14 . 2010-05-07 01:14 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2010-05-07 01:14 . 2008-04-18 13:51 598016 ----a-w- c:\windows\system32\CNQ4807L.DLL
2010-05-07 01:14 . 2008-04-07 14:58 98304 ----a-w- c:\windows\system32\CNQ4807I.DLL
2010-05-07 01:14 . 2007-03-15 14:12 188416 ----a-w- c:\windows\system32\CNQ4807O.DLL
2010-05-07 01:14 . 2008-04-07 14:58 1339392 ----a-w- c:\windows\system32\CNQ4807C.DLL
2010-05-07 01:14 . 2010-05-07 01:14 -------- d--h--w- c:\program files\CanonBJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 02:57 . 2010-01-30 20:27 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\BitTorrent
2010-06-05 02:09 . 2010-04-23 14:09 0 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\prvlcl.dat
2010-06-03 19:29 . 2009-09-23 19:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-03 12:22 . 2010-06-03 12:22 29512 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-03 12:22 . 2010-06-03 12:22 242896 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgtdix.sys
2010-06-03 12:22 . 2010-05-04 23:09 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 12:22 . 2010-05-04 23:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-03 00:20 . 2010-05-04 04:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-06-02 19:07 . 2010-01-30 13:35 -------- d-----w- c:\program files\exPressit S.E. 2.1
2010-06-01 04:28 . 2010-04-25 13:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJPLM
2010-05-31 12:44 . 2010-01-30 21:13 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Vso
2010-05-27 23:23 . 2010-04-25 13:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJ
2010-05-25 23:23 . 2009-09-23 19:34 -------- d-----w- c:\program files\Canon
2010-05-25 17:20 . 2010-01-30 04:18 88600 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 17:16 . 2010-05-25 17:16 10134 ----a-r- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Microsoft\Installer\{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}\ARPPRODUCTICON.exe
2010-05-25 11:13 . 2010-04-14 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-05-22 00:48 . 2010-05-22 00:48 503808 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ea748be-n\msvcp71.dll
2010-05-22 00:48 . 2010-05-22 00:48 499712 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ea748be-n\jmc.dll
2010-05-22 00:48 . 2010-05-22 00:48 12800 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24cedf1e-n\decora-d3d.dll
2010-05-22 00:48 . 2010-05-22 00:48 61440 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24cedf1e-n\decora-sse.dll
2010-05-22 00:48 . 2010-05-22 00:48 348160 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ea748be-n\msvcr71.dll
2010-05-10 03:21 . 2010-04-14 02:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-07 01:15 . 2010-04-25 13:47 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJScan
2010-05-07 01:15 . 2010-04-14 13:38 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Canon
2010-05-04 23:40 . 2010-05-04 23:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-04 23:40 . 2010-05-04 23:09 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-04 23:08 . 2010-05-04 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2010-05-04 20:45 . 2010-05-04 20:45 63488 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 20:45 . 2010-04-14 02:24 117760 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 04:23 . 2010-05-04 04:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2010-05-04 04:08 . 2010-05-04 04:08 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-03 16:17 . 2010-05-03 02:52 -------- d-----w- c:\program files\Microsoft
2010-05-03 03:34 . 2010-03-22 15:29 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\playitall
2010-05-03 02:37 . 2010-04-14 22:52 -------- d-----w- c:\program files\Java
2010-04-30 01:59 . 2009-09-12 05:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2010-01-30 06:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-30 06:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 14:28 . 2009-09-17 20:51 -------- d-----w- c:\program files\Yahoo!
2010-04-27 05:25 . 2009-09-13 05:12 -------- d-----w- c:\program files\CCleaner
2010-04-25 13:31 . 2009-09-23 19:32 -------- d-----w- c:\program files\ArcSoft
2010-04-25 13:30 . 2010-04-25 13:30 -------- d-----w- c:\program files\Common Files\CANON
2010-04-23 17:36 . 2010-04-23 17:18 -------- d-----w- c:\program files\DVDFab 7
2010-04-23 01:08 . 2010-01-30 03:36 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-22 23:53 . 2010-04-20 11:53 -------- d-----w- c:\program files\MagicISO
2010-04-20 21:38 . 2010-04-16 14:02 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-20 16:14 . 2010-01-30 03:33 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-20 11:46 . 2010-02-12 13:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 23:52 . 2010-04-18 23:42 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-18 23:44 . 2010-04-17 17:49 95360 ----a-w- c:\windows\system32\drivers\tsk36.tmp
2010-04-17 17:56 . 2010-04-17 17:56 -------- d-----w- c:\documents and settings\AMY.WILLIAM-7D47F85\Application Data\Yahoo!
2010-04-16 14:26 . 2010-04-16 14:26 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-16 14:26 . 2010-04-16 14:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hitman Pro
2010-04-16 14:01 . 2010-04-16 14:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-14 23:38 . 2010-02-01 04:20 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Yahoo!
2010-04-14 22:57 . 2010-04-14 22:57 -------- d-----w- c:\program files\Common Files\Java
2010-04-14 22:56 . 2010-04-14 22:56 -------- d-----w- c:\program files\Sun
2010-04-14 22:45 . 2010-02-17 14:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-04-14 02:24 . 2010-04-14 02:24 52224 ----a-w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-14 02:23 . 2010-04-14 02:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-04-14 02:19 . 2010-04-14 02:19 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\SUPERAntiSpyware.com
2010-04-14 02:18 . 2010-01-13 07:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 21:29 . 2010-05-03 02:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-12 12:38 . 2010-01-30 07:26 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\AdobeUM
2010-04-12 11:51 . 2009-09-13 02:35 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-12 00:39 . 2010-04-11 23:47 -------- d-----w- c:\program files\Google
2010-04-06 18:00 . 2010-04-06 18:00 3108544 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Downloads\HRBlockNJ.exe
2010-04-06 14:53 . 2010-04-06 14:52 21180296 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Update\US30026901cupd.exe
2010-04-06 14:50 . 2010-04-06 14:50 -------- d-----w- c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\TaxCut
2010-04-06 14:24 . 2010-04-06 14:20 -------- d-----w- c:\program files\HRBlock2009
2010-04-06 14:21 . 2010-04-06 14:20 -------- d-----w- c:\program files\PDF995
2010-04-06 14:08 . 2010-04-06 14:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut
2010-03-22 18:59 . 2010-03-22 18:59 56766 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-03-22 18:59 . 2010-03-22 18:59 56978 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-03-22 18:59 . 2010-03-22 18:59 53600 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Update\Uninstaller.exe
2010-03-22 18:59 . 2010-03-22 18:59 57676 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Player\Uninstaller.exe
2010-03-22 18:58 . 2010-03-22 18:58 84035 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 57054 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54166 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 57532 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 56458 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54174 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54153 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54128 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Converter\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54629 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 54101 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 57409 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-03-22 18:57 . 2010-03-22 18:57 52963 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-22 18:56 . 2010-03-22 18:56 54073 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-22 18:56 . 2010-03-22 18:56 56969 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-03-22 18:55 . 2010-03-22 18:59 754984 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Setup\Resource.dll
2010-03-12 22:19 . 2010-03-22 18:59 986904 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Setup\DivXSetup.exe
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 01:13 . 2010-03-09 01:13 291 ----a-w- c:\windows\EReg072.dat
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-02_11.35.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-05 03:16 . 2010-06-05 03:16 16384 c:\windows\temp\Perflib_Perfdata_784.dat
+ 2010-06-03 19:47 . 2005-03-18 21:23 12800 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Diagnostics.dll
+ 2010-06-03 19:47 . 2005-03-18 21:23 53248 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2010-06-03 19:47 . 2005-07-22 21:21 577024 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll
+ 2010-06-03 19:47 . 2005-03-18 21:23 223232 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.dll
+ 2010-06-03 19:47 . 2005-03-18 21:23 178176 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll
+ 2010-06-03 19:47 . 2005-03-18 21:23 364544 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectPlay.dll
+ 2010-06-03 19:47 . 2005-03-18 21:23 159232 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.dll
+ 2010-06-03 19:47 . 2005-03-18 21:23 145920 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.dll
+ 2010-06-03 19:47 . 2005-03-18 21:23 473600 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-06-03 19:47 . 2010-06-03 19:47 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2010-06-03 19:47 . 2005-07-22 23:59 2319568 c:\windows\system32\d3dx9_27.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-9-12 49254]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-04 23:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-07 15:40 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-03-11 01:20 689488 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-12 22:02 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-07-30 14:41 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-16 01:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-10 03:21 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dumprep.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"g:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=

R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [4/18/2010 7:42 PM 50176]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/4/2010 7:09 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/4/2010 7:09 PM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 68168]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/4/2010 7:40 PM 308064]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\BILL.WILLIAM-7D47F85\My Documents\Downloads\software\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\BILL.WILLIAM-7D47F85\My Documents\Downloads\software\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\nsak.sys --> c:\docume~1\BILL~1.WIL\LOCALS~1\Temp\000009b9.nmc\nse\bin\nsak.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-07-30 14:39 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = file:///G:/MY%20DOCS/WEBSITES/My%20Bookmarks.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\BILL.WILLIAM-7D47F85\Application Data\Mozilla\Firefox\Profiles\8qc69h49.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - file:///G:/MY%20DOCS/WEBSITES/My%20Bookmarks.htm
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 06:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2120)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-05 06:52:07
ComboFix-quarantined-files.txt 2010-06-05 10:52
ComboFix2.txt 2010-06-02 11:40

Pre-Run: 5,454,372,864 bytes free
Post-Run: 5,419,663,360 bytes free

- - End Of File - - C8560AC9AD373F00AE6F43B39D2AA9AB


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 05 June 2010 - 12:03 PM

Greetings Metsfan61

The redirect appears to be gone. - that is great

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 08 June 2010 - 10:23 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 AM

Posted 12 June 2010 - 11:00 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users