Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Infection


  • Please log in to reply
15 replies to this topic

#1 carlozofjuan

carlozofjuan

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 05 June 2010 - 12:04 AM

Hello,

In addition to being redirected to unrelated websites, there is another issue. After typing something into the Google search box in Firefox/IE a page will come up reading:
____________________________________________________________
ERROR
Cache Access Denied

While trying to retrieve the URL: http://www.google.com/search?

The following error was encountered:

* Cache Access Denied.

Sorry, you are not currently allowed to request:

http://www.google.com/search?

from this cache until you have authenticated yourself.

You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password.
_____________________________________________________________


or it will say....

___________________
302 Moved
The document has moved here.
___________________

And the hyperlinked "here" takes me to the results page in german.

Please help! The logs follow...


DDS (Ver_10-03-17.01) - NTFSx86
Run by Juan at 18:55:23.18 on Fri 06/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1280 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Juan\Desktop\dds.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mR

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:38 PM

Posted 05 June 2010 - 12:26 AM

Hi, carlozofjuan smile.gif

welcome.gif

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 05 June 2010 - 11:41 AM

Here is the log file. It is not the first one; I couldn't find the logfile from the first run and so I reran TDSS and so it overwrote the logfile. The first one showed that it cured an infected file called "pci.sys" I believe. The following logfile shows 0 infections.

11:32:33:875 3392 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
11:32:33:875 3392 ================================================================================
11:32:33:875 3392 SystemInfo:

11:32:33:875 3392 OS Version: 5.1.2600 ServicePack: 3.0
11:32:33:875 3392 Product type: Workstation
11:32:33:875 3392 ComputerName: JUANXPS
11:32:33:875 3392 UserName: Juan
11:32:33:875 3392 Windows directory: C:\WINDOWS
11:32:33:875 3392 Processor architecture: Intel x86
11:32:33:875 3392 Number of processors: 1
11:32:33:875 3392 Page size: 0x1000
11:32:33:875 3392 Boot type: Normal boot
11:32:33:875 3392 ================================================================================
11:32:34:531 3392 Initialize success
11:32:34:531 3392
11:32:34:531 3392 Scanning Services ...
11:32:35:187 3392 Raw services enum returned 393 services
11:32:35:203 3392
11:32:35:203 3392 Scanning Drivers ...
11:32:36:984 3392 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:32:37:109 3392 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:32:37:250 3392 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:32:37:328 3392 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:32:37:453 3392 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:32:37:546 3392 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
11:32:37:609 3392 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
11:32:37:656 3392 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:32:37:750 3392 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:32:37:828 3392 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:32:37:921 3392 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:32:37:937 3392 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:32:37:968 3392 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:32:38:078 3392 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:32:38:125 3392 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:32:38:140 3392 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:32:38:218 3392 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
11:32:38:312 3392 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:32:38:484 3392 arusb(Atheros) (93ea7d94959bef66d0e4adbc8ce4e073) C:\WINDOWS\system32\DRIVERS\arusb.sys
11:32:38:640 3392 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:32:38:734 3392 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:32:38:765 3392 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:32:38:843 3392 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
11:32:38:906 3392 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:32:38:984 3392 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:32:39:078 3392 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:32:39:125 3392 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:32:39:156 3392 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
11:32:39:187 3392 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:32:39:234 3392 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
11:32:39:312 3392 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
11:32:39:421 3392 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
11:32:39:468 3392 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
11:32:39:500 3392 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:32:39:531 3392 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:32:39:562 3392 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:32:39:625 3392 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:32:39:671 3392 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:32:39:718 3392 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:32:39:750 3392 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:32:39:828 3392 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:32:39:875 3392 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:32:39:937 3392 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:32:39:984 3392 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:32:40:093 3392 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:32:40:125 3392 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:32:40:171 3392 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
11:32:40:187 3392 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
11:32:40:203 3392 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
11:32:40:218 3392 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
11:32:40:250 3392 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
11:32:40:281 3392 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
11:32:40:375 3392 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
11:32:40:437 3392 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
11:32:40:468 3392 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
11:32:40:609 3392 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:32:40:703 3392 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:32:40:750 3392 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:32:40:796 3392 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:32:40:859 3392 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:32:40:906 3392 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:32:40:968 3392 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
11:32:41:015 3392 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
11:32:41:218 3392 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
11:32:41:359 3392 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
11:32:41:406 3392 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:32:41:484 3392 ElbyCDIO (e4788e5b3e5f0a0bbb318a9c426c2812) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
11:32:41:515 3392 ElbyDelay (0b15894b0698abcac9f19d060119d1d0) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
11:32:41:578 3392 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:32:41:609 3392 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:32:41:703 3392 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:32:41:734 3392 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:32:41:843 3392 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:32:41:875 3392 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:32:41:921 3392 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\WINDOWS\system32\drivers\ftdibus.sys
11:32:42:015 3392 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:32:42:093 3392 FTSER2K (596d31583ce332b5514520d74837f434) C:\WINDOWS\system32\drivers\ftser2k.sys
11:32:42:140 3392 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:32:42:187 3392 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:32:42:218 3392 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:32:42:312 3392 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:32:42:453 3392 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
11:32:42:546 3392 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
11:32:42:671 3392 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:32:42:796 3392 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:32:42:843 3392 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:32:42:921 3392 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:32:43:015 3392 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:32:43:250 3392 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:32:43:296 3392 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:32:43:359 3392 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:32:43:453 3392 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:32:43:500 3392 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:32:43:578 3392 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:32:43:640 3392 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:32:43:687 3392 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:32:43:781 3392 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:32:43:859 3392 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:32:43:906 3392 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:32:43:953 3392 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:32:44:015 3392 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
11:32:44:046 3392 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:32:44:234 3392 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:32:44:281 3392 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\WINDOWS\system32\DRIVERS\Lbd.sys
11:32:44:390 3392 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:32:44:421 3392 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
11:32:44:453 3392 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:32:44:500 3392 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:32:44:515 3392 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:32:44:562 3392 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:32:44:625 3392 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:32:44:703 3392 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:32:44:765 3392 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:32:44:859 3392 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:32:44:968 3392 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:32:45:015 3392 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:32:45:046 3392 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:32:45:062 3392 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:32:45:125 3392 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:32:45:171 3392 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
11:32:45:218 3392 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
11:32:45:343 3392 n558 (88705dc61b9275b82e48904d53031f5b) C:\WINDOWS\system32\Drivers\n558.sys
11:32:45:421 3392 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:32:45:437 3392 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:32:45:468 3392 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:32:45:500 3392 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:32:45:515 3392 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
11:32:45:546 3392 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:32:45:734 3392 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:32:45:796 3392 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:32:45:828 3392 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:32:45:890 3392 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:32:46:031 3392 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:32:46:281 3392 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:32:46:500 3392 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:32:46:531 3392 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:32:46:593 3392 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:32:46:640 3392 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:32:46:718 3392 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:32:46:859 3392 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:32:46:906 3392 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:32:46:953 3392 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:32:46:984 3392 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:32:47:062 3392 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
11:32:47:187 3392 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:32:47:265 3392 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:32:47:328 3392 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:32:47:359 3392 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:32:47:406 3392 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:32:47:437 3392 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:32:47:515 3392 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:32:47:593 3392 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:32:47:609 3392 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:32:47:625 3392 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:32:47:640 3392 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:32:47:640 3392 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:32:47:687 3392 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:32:47:734 3392 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:32:47:734 3392 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:32:47:796 3392 RD1009 (9a3124a8694428eea75e8a3de3f10d8f) C:\WINDOWS\system32\Drivers\rdwm1009.sys
11:32:47:843 3392 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:32:47:906 3392 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:32:47:953 3392 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:32:48:078 3392 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
11:32:48:125 3392 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:32:48:171 3392 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
11:32:48:218 3392 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
11:32:48:281 3392 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
11:32:48:328 3392 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
11:32:48:421 3392 s24trans (e2c6abcbefb1d44f6aaeb1cd5d6062d4) C:\WINDOWS\system32\DRIVERS\s24trans.sys
11:32:48:468 3392 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
11:32:48:531 3392 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:32:48:593 3392 Ser2pl (de0a165d9f8ea295e62ea702ef2f8125) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
11:32:48:640 3392 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:32:48:671 3392 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:32:48:718 3392 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
11:32:48:781 3392 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
11:32:48:843 3392 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:32:48:890 3392 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:32:48:921 3392 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:32:48:968 3392 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:32:49:078 3392 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:32:49:187 3392 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
11:32:49:359 3392 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
11:32:49:437 3392 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:32:49:468 3392 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:32:49:562 3392 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:32:49:640 3392 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:32:49:671 3392 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:32:49:671 3392 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:32:49:734 3392 SynTP (35d5b3632e0bcebe27b391157de05996) C:\WINDOWS\system32\DRIVERS\SynTP.sys
11:32:49:812 3392 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:32:49:875 3392 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:32:49:937 3392 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:32:50:062 3392 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:32:50:093 3392 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:32:50:140 3392 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:32:50:187 3392 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:32:50:234 3392 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:32:50:312 3392 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:32:50:390 3392 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
11:32:50:500 3392 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:32:50:531 3392 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:32:50:578 3392 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:32:50:687 3392 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:32:50:812 3392 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:32:51:203 3392 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:32:51:515 3392 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:32:51:937 3392 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:32:52:140 3392 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:32:52:390 3392 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:32:52:937 3392 w29n51 (d6006de6a6ed423d8016a03bc50cbe6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
11:32:53:343 3392 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:32:53:421 3392 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:32:53:531 3392 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:32:53:703 3392 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
11:32:53:750 3392 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:32:53:796 3392 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:32:53:796 3392
11:32:53:796 3392 Completed
11:32:53:796 3392
11:32:53:796 3392 Results:
11:32:53:796 3392 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:32:53:796 3392 File objects infected / cured / cured on reboot: 0 / 0 / 0
11:32:53:796 3392
11:32:53:812 3392 KLMD(ARK) unloaded successfully


#4 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 05 June 2010 - 11:45 AM

Google search no longer results in "302 page has moved here" which takes me to the results page in german. Google search result redirect still exists though.

#5 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 05 June 2010 - 11:48 AM

Nevermind, original issues still exist (cache access denied/302)

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:38 PM

Posted 05 June 2010 - 02:35 PM

Hi, carlozofjuan smile.gif

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    QUOTE
    TDL::
    C:\WINDOWS\system32\drivers\pci.sys




    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe.
  4. Install the Recovery Console if prompted.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 07 June 2010 - 01:13 AM

hi! Thanks for your continuing assistance. This is an error log that appeared on my Desktop Saturday or Sunday (I was away from my computer). I will continue with the ComboFix installation.

#
# An unexpected error has been detected by Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x256748cd, pid=4012, tid=2340
#
# Java VM: Java HotSpot™ Client VM (11.3-b02 mixed mode, sharing windows-x86)
# Problematic frame:
# C 0x256748cd
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

--------------- T H R E A D ---------------

Current thread (0x03038400): JavaThread "thread applet-dev.s.Saxonia-1" [_thread_in_native, id=2340, stack(0x03280000,0x032d0000)]

siginfo: ExceptionCode=0xc0000005, reading address 0xa1ed700e

Registers:
EAX=0x7c862803, EBX=0x7c808cf3, ECX=0x00000008, EDX=0x25674803
ESP=0x032cf72c, EBP=0x2567467c, ESI=0x2567480b, EDI=0x256747da
EIP=0x256748cd, EFLAGS=0x00210286

Top of Stack: (sp=0x032cf72c)
0x032cf72c: 3a707474 256746bf 03038400 001b1f2c
0x032cf73c: 00200246 255a255a 03038400 26c08b60
0x032cf74c: 00000000 03171d48 26c08b60 00000000
0x032cf75c: 02ff27a4 02ff27bc 032cf764 26c08b60
0x032cf76c: 032cf798 26c09228 00000000 26c08b60
0x032cf77c: 00000000 032cf794 032cf7c0 00992e83
0x032cf78c: 00000000 00998179 22c918f0 22c9e780
0x032cf79c: 22c9e780 032cf7a0 26c08abf 032cf7d0

Instructions: (pc=0x256748cd)
0x256748bd: 02 eb ed 68 74 74 70 3a 2f 2f 37 37 2e 37 38 2e
0x256748cd: 32 34 30 2e 38 39 2f 78 78 31 2f 6c 2e 70 68 70


Stack: [0x03280000,0x032d0000], sp=0x032cf72c, free space=317k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C 0x256748cd

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j com.sun.media.sound.HeadspaceSoundbank.nOpenResource(Ljava/lang/String;)J+0
j com.sun.media.sound.HeadspaceSoundbank.initialize(Ljava/lang/String;)V+7
j com.sun.media.sound.HeadspaceSoundbank.<init>(Ljava/net/URL;)V+89
j com.sun.media.sound.HsbParser.getSoundbank(Ljava/net/URL;)Ljavax/sound/midi/Soundbank;+5
j javax.sound.midi.MidiSystem.getSoundbank(Ljava/net/URL;)Ljavax/sound/midi/Soundbank;+36
j dev.s.Saxonia.init()V+665
j sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run()V+837
j java.lang.Thread.run()V+11
v ~StubRoutines::call_stub

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x030d1c00 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=832, stack(0x041c0000,0x04210000)]
0x0312d800 JavaThread "Keep-Alive-Timer" daemon [_thread_blocked, id=3216, stack(0x04160000,0x041b0000)]
0x03048800 JavaThread "Image Fetcher 0" daemon [_thread_blocked, id=1932, stack(0x04020000,0x04070000)]
=>0x03038400 JavaThread "thread applet-dev.s.Saxonia-1" [_thread_in_native, id=2340, stack(0x03280000,0x032d0000)]
0x03023c00 JavaThread "AWT-EventQueue-2" [_thread_blocked, id=4088, stack(0x03fd0000,0x04020000)]
0x03022800 JavaThread "Applet 1 LiveConnect Worker Thread" [_thread_blocked, id=3428, stack(0x03f80000,0x03fd0000)]
0x0300cc00 JavaThread "Browser Side Object Cleanup Thread" [_thread_blocked, id=2732, stack(0x03f30000,0x03f80000)]
0x03019400 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=3244, stack(0x03600000,0x03650000)]
0x03018400 JavaThread "CacheMemoryCleanUpThread" daemon [_thread_blocked, id=3440, stack(0x035b0000,0x03600000)]
0x03005800 JavaThread "Java Plug-In Heartbeat Thread" [_thread_blocked, id=2800, stack(0x03510000,0x03560000)]
0x03004000 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=1244, stack(0x034c0000,0x03510000)]
0x03002800 JavaThread "AWT-Windows" daemon [_thread_in_native, id=744, stack(0x03410000,0x03460000)]
0x03001400 JavaThread "AWT-Shutdown" [_thread_blocked, id=1052, stack(0x033c0000,0x03410000)]
0x02ffd000 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=2568, stack(0x03370000,0x033c0000)]
0x02b82c00 JavaThread "Java Plug-In Pipe Worker Thread (Client-Side)" daemon [_thread_in_native, id=996, stack(0x032d0000,0x03320000)]
0x02b5ac00 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=2372, stack(0x03230000,0x03280000)]
0x02bcbc00 JavaThread "Timer-0" [_thread_blocked, id=3444, stack(0x031e0000,0x03230000)]
0x02b01c00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=2796, stack(0x02db0000,0x02e00000)]
0x02afb400 JavaThread "CompilerThread0" daemon [_thread_blocked, id=1300, stack(0x02d60000,0x02db0000)]
0x02af9c00 JavaThread "Attach Listener" daemon [_thread_blocked, id=1504, stack(0x02d10000,0x02d60000)]
0x02af8800 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=3936, stack(0x02cc0000,0x02d10000)]
0x02af3c00 JavaThread "Finalizer" daemon [_thread_blocked, id=1540, stack(0x02c70000,0x02cc0000)]
0x02aef000 JavaThread "Reference Handler" daemon [_thread_blocked, id=4080, stack(0x02c20000,0x02c70000)]
0x00886800 JavaThread "main" [_thread_blocked, id=4084, stack(0x00910000,0x00960000)]

Other Threads:
0x02aed800 VMThread [stack: 0x02bd0000,0x02c20000] [id=1520]
0x02b03400 WatcherThread [stack: 0x02e00000,0x02e50000] [id=3608]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
def new generation total 4544K, used 3175K [0x22990000, 0x22e70000, 0x22e70000)
eden space 4096K, 77% used [0x22990000, 0x22ca9d90, 0x22d90000)
from space 448K, 0% used [0x22d90000, 0x22d90120, 0x22e00000)
to space 448K, 0% used [0x22e00000, 0x22e00000, 0x22e70000)
tenured generation total 60544K, used 49173K [0x22e70000, 0x26990000, 0x26990000)
the space 60544K, 81% used [0x22e70000, 0x25e75440, 0x25e75600, 0x26990000)
compacting perm gen total 12288K, used 2612K [0x26990000, 0x27590000, 0x2a990000)
the space 12288K, 21% used [0x26990000, 0x26c1d038, 0x26c1d200, 0x27590000)
ro space 8192K, 63% used [0x2a990000, 0x2aea8810, 0x2aea8a00, 0x2b190000)
rw space 12288K, 53% used [0x2b190000, 0x2b7fd300, 0x2b7fd400, 0x2bd90000)

Dynamic libraries:
0x00400000 - 0x00424000 C:\Program Files\Java\jre6\bin\java.exe
0x7c900000 - 0x7c9b2000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f6000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f02000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x5cb70000 - 0x5cb96000 C:\WINDOWS\system32\ShimEng.dll
0x71590000 - 0x71609000 C:\WINDOWS\AppPatch\AcLayers.DLL
0x7e410000 - 0x7e4a1000 C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f59000 C:\WINDOWS\system32\GDI32.dll
0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
0x769c0000 - 0x76a74000 C:\WINDOWS\system32\USERENV.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x7c340000 - 0x7c396000 C:\Program Files\Java\jre6\bin\msvcr71.dll
0x6d800000 - 0x6da56000 C:\Program Files\Java\jre6\bin\client\jvm.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x6d290000 - 0x6d298000 C:\Program Files\Java\jre6\bin\hpi.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
0x6d7b0000 - 0x6d7bc000 C:\Program Files\Java\jre6\bin\verify.dll
0x6d330000 - 0x6d34f000 C:\Program Files\Java\jre6\bin\java.dll
0x6d7f0000 - 0x6d7ff000 C:\Program Files\Java\jre6\bin\zip.dll
0x6d430000 - 0x6d436000 C:\Program Files\Java\jre6\bin\jp2native.dll
0x6d1d0000 - 0x6d1e3000 C:\Program Files\Java\jre6\bin\deploy.dll
0x77a80000 - 0x77b15000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x77120000 - 0x771ab000 C:\WINDOWS\system32\OLEAUT32.dll
0x3d930000 - 0x3da16000 C:\WINDOWS\system32\WININET.dll
0x02e50000 - 0x02e59000 C:\WINDOWS\system32\Normaliz.dll
0x78130000 - 0x78263000 C:\WINDOWS\system32\urlmon.dll
0x3dfd0000 - 0x3e1b8000 C:\WINDOWS\system32\iertutil.dll
0x6d6b0000 - 0x6d6f2000 C:\Program Files\Java\jre6\bin\regutils.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x7d1e0000 - 0x7d49c000 C:\WINDOWS\system32\msi.dll
0x6d610000 - 0x6d623000 C:\Program Files\Java\jre6\bin\net.dll
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x6d630000 - 0x6d639000 C:\Program Files\Java\jre6\bin\nio.dll
0x6d000000 - 0x6d14a000 C:\Program Files\Java\jre6\bin\awt.dll
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\uxtheme.dll
0x74720000 - 0x7476c000 C:\WINDOWS\system32\MSCTF.dll
0x77b40000 - 0x77b62000 C:\WINDOWS\system32\apphelp.dll
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x6d230000 - 0x6d284000 C:\Program Files\Java\jre6\bin\fontmanager.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\System32\mswsock.dll
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x76fb0000 - 0x76fb8000 C:\WINDOWS\System32\winrnr.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x751d0000 - 0x751ee000 C:\WINDOWS\system32\wshbth.dll
0x77920000 - 0x77a13000 C:\WINDOWS\system32\SETUPAPI.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x6d1a0000 - 0x6d1c3000 C:\Program Files\Java\jre6\bin\dcpr.dll
0x68000000 - 0x68036000 C:\WINDOWS\system32\rsaenh.dll
0x5b860000 - 0x5b8b5000 C:\WINDOWS\system32\netapi32.dll
0x6d520000 - 0x6d544000 C:\Program Files\Java\jre6\bin\jsound.dll
0x6d550000 - 0x6d558000 C:\Program Files\Java\jre6\bin\jsoundds.dll
0x73f10000 - 0x73f6c000 C:\WINDOWS\system32\DSOUND.dll
0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll

VM Arguments:
jvm_args: -D__jvm_launched=861059411 -Xbootclasspath/a:C:\PROGRA~1\Java\jre6\lib\deploy.jar;C:\PROGRA~1\Java\jre6\lib\javaws.jar;C:\PROGRA~1\Java\jre6\lib\plugin.jar
java_command: sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid3004_pipe3,read_pipe_name=jpi2_pid3004_pipe2
Launcher Type: SUN_STANDARD

Environment Variables:
PATH=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\wbem;C:\Program Files\SSH Communications Security\SSH Secure Shell
USERNAME=Juan
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel



--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 3

CPU:total 1 (1 cores per cpu, 1 threads per core) family 6 model 13 stepping 8, cmov, cx8, fxsr, mmx, sse, sse2

Memory: 4k page, physical 2088316k(1243796k free), swap 3491948k(2849308k free)

vm_info: Java HotSpot™ Client VM (11.3-b02) for windows-x86 JRE (1.6.0_13-b03), built on Mar 9 2009 01:15:24 by "java_re" with MS VC++ 7.1

time: Sat Jun 05 11:43:03 2010
elapsed time: 7 seconds



#8 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 07 June 2010 - 03:32 AM

Before CFScript.txt step

ComboFix 10-06-06.03 - Juan 06/07/2010 2:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1335 [GMT -5:00]
Running from: c:\documents and settings\Juan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Juan\Application Data\inst.exe
c:\documents and settings\Juan\System
c:\documents and settings\Juan\System\win_qs8.jqx
c:\windows\Downloaded Program Files\IDropPTB.dll
c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-05-26 19:56 . 2010-05-25 21:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-25 21:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-25 21:22 . 2010-05-25 21:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-25 21:06 . 2010-05-25 21:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-25 21:06 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-25 21:06 . 2010-05-25 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-25 21:06 . 2010-05-25 21:06 -------- d-----w- c:\program files\Lavasoft
2010-05-25 19:30 . 2010-05-25 19:30 503808 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e879972-n\msvcp71.dll
2010-05-25 19:30 . 2010-05-25 19:30 348160 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e879972-n\msvcr71.dll
2010-05-25 19:30 . 2010-05-25 19:30 499712 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e879972-n\jmc.dll
2010-05-12 01:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 01:57 . 2010-05-12 01:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 01:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 23:55 . 2010-05-11 23:55 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 18:04 . 2009-06-02 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-05 16:28 . 2004-08-04 04:07 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-01 15:08 . 2009-04-25 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-29 23:20 . 2009-09-28 20:00 -------- d-----w- c:\program files\Safari
2010-05-15 04:40 . 2009-10-02 09:52 109448 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-12 22:39 . 2009-04-24 22:36 149016 -c--a-w- c:\documents and settings\Juan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-11 23:53 . 2009-12-15 03:17 -------- d-----w- c:\program files\QuickTime
2010-05-11 23:53 . 2009-04-24 23:04 -------- d-----w- c:\program files\DellSupport
2010-05-11 23:53 . 2006-05-24 15:04 -------- d-----w- c:\program files\NetWaiting
2010-05-11 23:53 . 2010-05-06 00:29 -------- d-----w- c:\documents and settings\Juan\Application Data\Caedium
2010-05-01 23:41 . 2006-05-24 15:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-01 23:39 . 2010-05-01 23:35 -------- d-----w- c:\program files\Transparent
2010-04-23 00:32 . 2009-08-05 05:03 -------- d-----w- c:\documents and settings\Juan\Application Data\Autodesk
2010-04-11 00:57 . 2009-08-05 05:02 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-11 00:48 . 2010-04-10 23:38 -------- d-----w- c:\program files\Autodesk
2010-04-10 23:38 . 2010-04-10 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk, Inc
2010-04-10 23:38 . 2009-08-05 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-04-10 22:22 . 2010-04-10 22:22 244920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-10 22:02 . 2010-04-10 22:00 -------- d-----w- c:\program files\AOEMView 2009
2010-04-10 22:00 . 2010-04-10 21:58 -------- d-----w- c:\program files\DWG TrueView 2009
2010-03-23 07:08 . 2009-11-21 22:22 79488 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2005-08-16 09:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-08-03 17:25 . 2009-08-03 17:25 28488 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-08-03 17:25 . 2009-08-03 17:25 185232 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-08-03 17:25 . 2009-08-03 17:25 99216 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2010-02-24 08:30 . 2009-12-13 23:00 56 --sh--r- c:\windows\system32\0A34152014.sys
2009-12-13 23:22 . 2009-04-25 21:16 88 -csh--r- c:\windows\system32\142015340A.sys
2010-02-24 08:30 . 2009-04-25 21:16 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-09 148888]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-07-10 210224]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\Juan\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-24 24576]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi4"=rddv1009.dll
"midi7"=rddv1009.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\FreeHand 10\\FreeHand 10.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2010 4:22 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1314704]
S3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [9/29/2008 7:24 PM 453120]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/6/2010 7:22 PM 1527900]
S3 RD1009;EDIROL UM-1 USB Driver;c:\windows\system32\drivers\rdwm1009.sys [1/18/2010 9:04 PM 43052]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:22]

2009-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Juan\Application Data\Mozilla\Firefox\Profiles\hjdpdte1.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 03:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\rddv1009.dll
.
Completion time: 2010-06-07 03:04:23
ComboFix-quarantined-files.txt 2010-06-07 08:04

Pre-Run: 8,231,108,608 bytes free
Post-Run: 9,004,101,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 2C1B0438F4B0DD8E208844F3609DCC13


#9 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 07 June 2010 - 03:34 AM

After CFScript step:

ComboFix 10-06-06.04 - Juan 06/07/2010 3:17.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1369 [GMT -5:00]
Running from: c:\documents and settings\Juan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Juan\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-05-26 19:56 . 2010-05-25 21:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-25 21:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-25 21:22 . 2010-05-25 21:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-25 21:06 . 2010-05-25 21:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-25 21:06 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-25 21:06 . 2010-05-25 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-25 21:06 . 2010-05-25 21:06 -------- d-----w- c:\program files\Lavasoft
2010-05-25 19:30 . 2010-05-25 19:30 503808 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e879972-n\msvcp71.dll
2010-05-25 19:30 . 2010-05-25 19:30 348160 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e879972-n\msvcr71.dll
2010-05-25 19:30 . 2010-05-25 19:30 499712 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e879972-n\jmc.dll
2010-05-12 01:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 01:57 . 2010-05-12 01:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 01:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 23:55 . 2010-05-11 23:55 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 18:04 . 2009-06-02 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-05 16:28 . 2004-08-04 04:07 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-01 15:08 . 2009-04-25 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-29 23:20 . 2009-09-28 20:00 -------- d-----w- c:\program files\Safari
2010-05-15 04:40 . 2009-10-02 09:52 109448 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-12 22:39 . 2009-04-24 22:36 149016 -c--a-w- c:\documents and settings\Juan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-11 23:53 . 2009-12-15 03:17 -------- d-----w- c:\program files\QuickTime
2010-05-11 23:53 . 2009-04-24 23:04 -------- d-----w- c:\program files\DellSupport
2010-05-11 23:53 . 2006-05-24 15:04 -------- d-----w- c:\program files\NetWaiting
2010-05-11 23:53 . 2010-05-06 00:29 -------- d-----w- c:\documents and settings\Juan\Application Data\Caedium
2010-05-01 23:41 . 2006-05-24 15:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-01 23:39 . 2010-05-01 23:35 -------- d-----w- c:\program files\Transparent
2010-04-23 00:32 . 2009-08-05 05:03 -------- d-----w- c:\documents and settings\Juan\Application Data\Autodesk
2010-04-11 00:57 . 2009-08-05 05:02 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-11 00:48 . 2010-04-10 23:38 -------- d-----w- c:\program files\Autodesk
2010-04-10 23:38 . 2010-04-10 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk, Inc
2010-04-10 23:38 . 2009-08-05 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-04-10 22:22 . 2010-04-10 22:22 244920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-10 22:02 . 2010-04-10 22:00 -------- d-----w- c:\program files\AOEMView 2009
2010-04-10 22:00 . 2010-04-10 21:58 -------- d-----w- c:\program files\DWG TrueView 2009
2010-03-23 07:08 . 2009-11-21 22:22 79488 ----a-w- c:\documents and settings\Juan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2005-08-16 09:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-08-03 17:25 . 2009-08-03 17:25 28488 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-08-03 17:25 . 2009-08-03 17:25 185232 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-08-03 17:25 . 2009-08-03 17:25 99216 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2010-02-24 08:30 . 2009-12-13 23:00 56 --sh--r- c:\windows\system32\0A34152014.sys
2009-12-13 23:22 . 2009-04-25 21:16 88 -csh--r- c:\windows\system32\142015340A.sys
2010-02-24 08:30 . 2009-04-25 21:16 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-09 148888]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-07-10 210224]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\Juan\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-24 24576]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi4"=rddv1009.dll
"midi7"=rddv1009.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\FreeHand 10\\FreeHand 10.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2010 4:22 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1314704]
S3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [9/29/2008 7:24 PM 453120]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/6/2010 7:22 PM 1527900]
S3 RD1009;EDIROL UM-1 USB Driver;c:\windows\system32\drivers\rdwm1009.sys [1/18/2010 9:04 PM 43052]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:22]

2009-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Juan\Application Data\Mozilla\Firefox\Profiles\hjdpdte1.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 03:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\rddv1009.dll

- - - - - - - > 'explorer.exe'(2304)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-07 03:22:42
ComboFix-quarantined-files.txt 2010-06-07 08:22
ComboFix2.txt 2010-06-07 08:04

Pre-Run: 9,029,726,208 bytes free
Post-Run: 8,999,399,424 bytes free

- - End Of File - - A2002FDC36DDB2771F9C94901B5C55F3


#10 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 07 June 2010 - 08:34 AM

It's a miracle! In Firefox, Google redirect is gone and my homepage went back to the normal Firefox Google Start Page that it was before. Haven't checked IE or Safari (which I'll need to re-download). Am I cured? Thank you for your continued help!

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:38 PM

Posted 07 June 2010 - 12:44 PM

We still need to check those drivers:

First verify that you can logon to the Windows Recovery Console.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

  1. Next, please download maxlook, saving the file to your desktop.
  2. Double click maxlook.exe to run it. Note - you must run it only once!
  3. Restart the computer and logon to the Recovery Console.
  4. Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C
  5. batch look.bat
  6. You will see 1 file copied many times then return to the x:\windows> prompt.
  7. Type Exit to restart your computer then logon in normal mode.
  8. Once in Windows, obtain an Internet Connection. This program must download a tool to check files' signatures.
  9. Then go to Start -> Run, copy and paste the following command in the run Box and Click OK
    "%Userprofile%\Desktop\maxlook.exe" -sig
  10. It will produce looklog.txt in the C:\ folder.
  11. Please post the results here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 08 June 2010 - 01:35 AM

From looklog.txt

CODE
Run from C:\Documents and Settings\Juan\Desktop\maxlook.exe on Tue 06/08/2010 at  1:29:26.43

--------- maxlook unsigned files ---------

c:\windows\maxdriver\AegisP.sys:
    Verified:    Unsigned
    File date:    12:23 AM 4/25/2009
    Publisher:    Meetinghouse Data Communications
    Description:    IEEE 802.1X Protocol Driver
    Product:    AEGIS Client 3.6.0.0
    Version:    3.6.0.0
    File version:    3.6.0.0
c:\windows\maxdriver\APPDRV.SYS:
    Verified:    Unsigned
    File date:    5:50 PM 8/12/2005
    Publisher:    Dell Inc
    Description:    App Support Driver
    Product:    Application Driver
    Version:    1, 0, 1, 1
    File version:    1, 0, 1, 1
c:\windows\maxdriver\asctrm.sys:
    Verified:    Unsigned
    File date:    10:07 AM 5/24/2006
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\maxdriver\DLACDBHM.SYS:
    Verified:    Unsigned
    File date:    12:16 PM 8/25/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.20.01a
c:\windows\maxdriver\DLARTL_N.SYS:
    Verified:    Unsigned
    File date:    12:16 PM 8/25/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.20.01a
c:\windows\maxdriver\DRVMCDB.SYS:
    Verified:    Unsigned
    File date:    3:30 AM 9/12/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver
    Product:    n/a
    Version:    n/a
    File version:    3.30.04a
c:\windows\maxdriver\DRVNDDM.SYS:
    Verified:    Unsigned
    File date:    5:20 AM 8/12/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver Manager
    Product:    n/a
    Version:    n/a
    File version:    5.20.00a
c:\windows\maxdriver\ElbyCDIO.sys:
    Verified:    Unsigned
    File date:    4:45 PM 7/21/2004
    Publisher:    Elaborate Bytes AG
    Description:    ElbyCD Windows NT/2000/XP I/O driver
    Product:    CDRTools
    Version:    4, 3, 1, 0
    File version:    4, 3, 1, 1
c:\windows\maxdriver\ElbyDelay.sys:
    Verified:    Unsigned
    File date:    5:13 PM 6/8/2004
    Publisher:    Elaborate Bytes AG
    Description:    Elby Delay Lower Filter Driver
    Product:    CDRTools
    Version:    5, 0, 0, 0
    File version:    5, 0, 0, 1
c:\windows\maxdriver\mhndrv.sys:
    Verified:    Unsigned
    File date:    3:45 AM 8/10/2004
    Publisher:    Microsoft Corporation
    Description:    Microsoft Multimedia Home Network (MHN) Support Driver
    Product:    Microsoft® Windows® Operating System
    Version:    5.1.2600.2180
    File version:    5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\maxdriver\pcouffin.sys:
    Verified:    Unsigned
    File date:    10:11 PM 2/3/2010
    Publisher:    VSO Software
    Description:    low level access layer for CD/DVD/BD devices
    Product:    Patin couffin engine
    Version:    1.37
    File version:    1.37
c:\windows\maxdriver\pxhelp20.sys:
    Verified:    Unsigned
    File date:    2:03 AM 4/25/2005
    Publisher:    Sonic Solutions
    Description:    Px Engine Device Driver for Windows 2000/XP
    Product:    PxHelp20
    Version:    n/a
    File version:    2.03.32a
c:\windows\maxdriver\rdwm1009.sys:
    Verified:    Unsigned
    File date:    6:59 AM 7/23/2001
    Publisher:    Roland Corporation
    Description:    
    Product:    
    Version:    1, 4, 0, 0
    File version:    1, 4, 0, 0
c:\windows\maxdriver\s24trans.sys:
    Verified:    Unsigned
    File date:    11:16 AM 2/21/2007
    Publisher:    Intel Corporation
    Description:    Intel WLAN Packet Driver
    Product:    Intel Wireless LAN Packet Driver
    Version:    11, 1, 0, 0
    File version:    11, 1, 0, 0
c:\windows\maxdriver\TVicPort.SYS:
    Verified:    Unsigned
    File date:    7:03 PM 5/20/1999
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\AegisP.sys:
    Verified:    Unsigned
    File date:    12:23 AM 4/25/2009
    Publisher:    Meetinghouse Data Communications
    Description:    IEEE 802.1X Protocol Driver
    Product:    AEGIS Client 3.6.0.0
    Version:    3.6.0.0
    File version:    3.6.0.0
c:\windows\system32\drivers\APPDRV.SYS:
    Verified:    Unsigned
    File date:    5:50 PM 8/12/2005
    Publisher:    Dell Inc
    Description:    App Support Driver
    Product:    Application Driver
    Version:    1, 0, 1, 1
    File version:    1, 0, 1, 1
c:\windows\system32\drivers\asctrm.sys:
    Verified:    Unsigned
    File date:    10:07 AM 5/24/2006
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\system32\drivers\DLACDBHM.SYS:
    Verified:    Unsigned
    File date:    12:16 PM 8/25/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.20.01a
c:\windows\system32\drivers\DLARTL_N.SYS:
    Verified:    Unsigned
    File date:    12:16 PM 8/25/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.20.01a
c:\windows\system32\drivers\DRVMCDB.SYS:
    Verified:    Unsigned
    File date:    3:30 AM 9/12/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver
    Product:    n/a
    Version:    n/a
    File version:    3.30.04a
c:\windows\system32\drivers\DRVNDDM.SYS:
    Verified:    Unsigned
    File date:    5:20 AM 8/12/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver Manager
    Product:    n/a
    Version:    n/a
    File version:    5.20.00a
c:\windows\system32\drivers\ElbyCDIO.sys:
    Verified:    Unsigned
    File date:    4:45 PM 7/21/2004
    Publisher:    Elaborate Bytes AG
    Description:    ElbyCD Windows NT/2000/XP I/O driver
    Product:    CDRTools
    Version:    4, 3, 1, 0
    File version:    4, 3, 1, 1
c:\windows\system32\drivers\ElbyDelay.sys:
    Verified:    Unsigned
    File date:    5:13 PM 6/8/2004
    Publisher:    Elaborate Bytes AG
    Description:    Elby Delay Lower Filter Driver
    Product:    CDRTools
    Version:    5, 0, 0, 0
    File version:    5, 0, 0, 1
c:\windows\system32\drivers\mhndrv.sys:
    Verified:    Unsigned
    File date:    3:45 AM 8/10/2004
    Publisher:    Microsoft Corporation
    Description:    Microsoft Multimedia Home Network (MHN) Support Driver
    Product:    Microsoft® Windows® Operating System
    Version:    5.1.2600.2180
    File version:    5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\system32\drivers\pcouffin.sys:
    Verified:    Unsigned
    File date:    10:11 PM 2/3/2010
    Publisher:    VSO Software
    Description:    low level access layer for CD/DVD/BD devices
    Product:    Patin couffin engine
    Version:    1.37
    File version:    1.37
c:\windows\system32\drivers\pxhelp20.sys:
    Verified:    Unsigned
    File date:    2:03 AM 4/25/2005
    Publisher:    Sonic Solutions
    Description:    Px Engine Device Driver for Windows 2000/XP
    Product:    PxHelp20
    Version:    n/a
    File version:    2.03.32a
c:\windows\system32\drivers\rdwm1009.sys:
    Verified:    Unsigned
    File date:    6:59 AM 7/23/2001
    Publisher:    Roland Corporation
    Description:    
    Product:    
    Version:    1, 4, 0, 0
    File version:    1, 4, 0, 0
c:\windows\system32\drivers\s24trans.sys:
    Verified:    Unsigned
    File date:    11:16 AM 2/21/2007
    Publisher:    Intel Corporation
    Description:    Intel WLAN Packet Driver
    Product:    Intel Wireless LAN Packet Driver
    Version:    11, 1, 0, 0
    File version:    11, 1, 0, 0
c:\windows\system32\drivers\TVicPort.SYS:
    Verified:    Unsigned
    File date:    7:03 PM 5/20/1999
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:38 PM

Posted 08 June 2010 - 02:37 AM

That log is clear. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 carlozofjuan

carlozofjuan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 08 June 2010 - 02:58 PM

It's back to its good ole normal operation as far as I can tell. Though I'm afraid to speak too soon....

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:38 PM

Posted 08 June 2010 - 06:33 PM

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. That should remove the application.
Go to Start -> Run, copy and paste the following command in the run Box and Click OK

"%Userprofile%\Desktop\maxlook.exe" -cleanup

Please download OTC by OldTimer.
  • Save it to your desktop.
  • Please double-click OTC.exe to run it. (Vista users, please right click on OTC.exe and select "Run as an Administrator")
  • This will delete the tools we used in the removal of malware, including this program.
  • If you are asked to reboot to complete the removal process then please do so
Upon restart, manually remove any remaining tools.

Manually remove any tool left.

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users