Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect issue, had some popups & now FF or IE crash


  • This topic is locked This topic is locked
48 replies to this topic

#1 Ryan79

Ryan79

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 09 July 2010 - 08:45 AM

First let me say, thank you in advance for your help. I wish I had come across this website sooner. I am not super knowledgeable when it comes to computers so I hope I provide you with enough info and/or have followed your instructions properly.

I believe I have followed all of your pre-posting instructions and have gotten "results" that I hope are useful to you/me. My problems started with the Google Redirect issue. Then a few weeks ago popups for some "sysinternal" started coming up all the time. I then started doing some looking as to how to fix these problems. I came across a site/google search that recommended running "rkill" to stop the popups. That actually worked. I then went back and ran Malware and maybe one other virus scanner and they both found things they hadn't previously found. The popups stopped after this.

I was still having the Google redirect problem though and through a Google search saw to run ComboFix (mistake). After finding this website yesterday I just shook my head when the first thing I read in this Virus forum was DO NOT RUN ComboFix!!! But what's done is done and if I have to reformat the hard drive then I guess that's what I get for going off some link and trying to be hasty with it. Anyway, I ran ComboFix but after ~1hr of running (the little blue screen) it seemed to have locked up. I honestly don't remember if I canceled CF via the Task Manager or if the computer just locked and I shut it off. But when I turned the computer back on both FireFox(FF) and Internet Explorer(IE) would both crash immediately. Everything else still seems to work OK but I may just not have found those problems yet. This was probably around a week ago.

Since then I've tried "going back" using the System Restore method but it tries for a bit and then tells me that process can not be completed. A friend suggested I try running in Safe Mode and see if FF or IE ran OK then. I tried that yesterday and to my surprise they both do run OK in Safe Mode. Also to my surprise the Google redirect issue seems to be gone (I don't know if that is a function of something ComboFix did or just of running in Safe Mode).

So that is where it stands now. I ran all of your scans/etc last night and will post/attach them below. I did not have time to write all of this up last night so I am posting this from work today. I don't figure that matters but just in case someone responds this afternoon I won't have the opportunity to try and fix the problem until later on this evening. Again, thanks in advance for whatever help/advice you may have.

Sincerely,
Ryan





DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Ryan at 21:59:16.78 on Thu 07/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.675 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ryan\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Ryan\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.modularfords.com/forums/
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{9A4B132E-2F32-B049-C7D5-922DB0FC642D}] "c:\documents and settings\ryan\application data\vuun\qyefa.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\ryan\startm~1\programs\startup\vcastm~1.lnk - c:\program files\v cast media manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160884547045
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FD163A9A-A3D8-4F7D-8224-32F81AC29EDA} - hxxp://video.vividas.com/CDN1/5029_paramount/en/web/player/vivid_ocx.jpeg
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryan\applic~1\mozilla\firefox\profiles\811or135.default\
FF - plugin: c:\documents and settings\ryan\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\divx\divx content uploader\npUpload.dll
FF - plugin: d:\divx\divx web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S1 14i313T;14i313T;c:\windows\system32\drivers\14i313T.sys [2001-8-23 295168]
S2 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2010-07-09 01:57:05 0 ----a-w- c:\documents and settings\ryan\defogger_reenable
2010-07-07 01:26:48 0 dc-h--w- c:\windows\ie8
2010-07-06 00:15:06 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-05 22:45:30 0 d-sha-r- C:\cmdcons
2010-07-05 22:39:40 98816 ----a-w- c:\windows\sed.exe
2010-07-05 22:39:40 77312 ----a-w- c:\windows\MBR.exe
2010-07-05 22:39:40 256512 ----a-w- c:\windows\PEV.exe
2010-07-05 22:39:40 161792 ----a-w- c:\windows\SWREG.exe
2010-07-05 22:38:58 0 d-s---w- C:\ComboFix
2010-07-03 21:54:15 0 d-----w- c:\windows\system32\msapps
2010-07-03 21:51:26 47616 ----a-w- c:\windows\system32\bootetup.dll
2010-07-03 21:51:20 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-01 01:15:43 54156 ---ha-w- c:\windows\QTFont.qfn
2010-07-01 01:15:43 1409 ----a-w- c:\windows\QTFont.for
2010-07-01 01:13:58 0 d-----w- c:\docume~1\ryan\applic~1\Smith Micro
2010-07-01 01:12:20 0 d-----w- c:\program files\common files\Motorola Shared
2010-07-01 01:12:14 61440 ----a-w- c:\windows\system32\pthswmcp.dll
2010-07-01 01:12:12 0 d-----w- c:\program files\PANTECH
2010-07-01 01:11:56 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-07-01 01:11:56 0 d-----w- c:\program files\common files\VerizonWireless
2010-07-01 01:11:52 0 d-----w- c:\program files\common files\DGSETUP
2010-07-01 01:10:55 0 d-----w- c:\program files\LG Electronics
2010-07-01 01:10:41 9256 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2010-07-01 01:10:41 9256 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2010-07-01 01:10:41 9256 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2010-07-01 01:10:41 9256 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2010-07-01 01:10:41 86824 ----a-w- c:\windows\system32\drivers\sscdserd.sys
2010-07-01 01:10:41 80552 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2010-07-01 01:10:41 11944 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2010-07-01 01:10:41 106792 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2010-07-01 01:10:38 0 d-----w- c:\program files\Samsung
2010-07-01 01:10:01 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-07-01 01:09:48 0 d-----w- c:\program files\Research In Motion
2010-07-01 01:09:48 0 d-----w- c:\program files\common files\Research In Motion
2010-07-01 01:09:20 0 d-----w- c:\program files\Xiph.Org
2010-07-01 01:09:05 0 d-----w- c:\program files\V CAST Media Manager
2010-07-01 01:09:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2010-06-28 01:14:19 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-06-28 01:14:18 0 d-----w- c:\program files\McAfee Security Scan
2010-06-10 17:35:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-06-08 20:06:58 510716 ------w- c:\windows\fonts\segoeui.ttf
2010-06-08 20:06:58 491512 ------w- c:\windows\fonts\segoeuib.ttf
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-09-11 21:37:04 5778200 ----a-w- c:\program files\MSM14USA.dll
2006-09-11 21:37:01 4586264 ----a-w- c:\program files\Streets.exe
2006-09-11 21:36:55 1174296 ----a-w- c:\program files\Mobb200.dll
2006-09-11 21:36:52 1067792 ----a-w- c:\program files\mfc71.dll
2006-09-11 21:36:51 609048 ----a-w- c:\program files\2DMgr100.dll
2006-09-11 21:36:43 154392 ----a-w- c:\program files\GPrn100.dll
2006-09-11 21:36:40 506648 ----a-w- c:\program files\msvcp71.dll
2006-09-11 21:36:38 355096 ----a-w- c:\program files\msvcr71.dll
2006-09-11 21:36:27 92952 ----a-w- c:\program files\BUGREP10.dll
2006-09-11 21:36:13 37136 ----a-w- c:\program files\BR90.dll
2006-09-11 21:36:01 24856 ----a-w- c:\program files\MapExt14.dll
2006-08-29 22:30:24 9625 ----a-w- c:\program files\readme.htm
2006-08-19 00:19:29 490433 ----a-w- c:\program files\Streets.chm
2002-05-16 20:31:47 152992 ----a-w- c:\program files\dw.exe
2009-01-17 18:55:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011720090118\index.dat

============= FINISH: 22:00:37.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:52 PM

Posted 12 July 2010 - 01:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Ryan79

Ryan79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 12 July 2010 - 08:03 PM

I am still having the issue of FF and IE both immediately crashing when trying to run them not in Safe Mode. I don't seem to have the Google Redirect issue any more but I don't know if that is a function of ComboFix getting it or running in Safe Mode.

I attached a DDS and GMER log to my first post. If you need me to do so again let me know but the computer in question has been off since I posted the problem.

Thank you again for your assistance.

Sincerely,
Ryan

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:52 PM

Posted 14 July 2010 - 02:03 PM

Hello, Ryan79
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.






Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Ryan79

Ryan79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 14 July 2010 - 08:35 PM

First of all, thanks for your help Tom. Second, I want to know if it makes a difference if I did all of what you requested in the above post in Safe Mode? I will post all the results you ask for but if I need to try and rerun them NOT in Safe Mode then let me know. Part of my problem is I can't seem to run FireFox or Internet Explorer when I am not in SM so it is easier for me to follow all of your instructions while having access to this web page.

Here are the results of my TDSSKiller.txt file:

21:19:37:437 0740 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
21:19:37:437 0740 ================================================================================
21:19:37:437 0740 SystemInfo:

21:19:37:437 0740 OS Version: 5.1.2600 ServicePack: 3.0
21:19:37:437 0740 Product type: Workstation
21:19:37:437 0740 ComputerName: DESKTOP
21:19:37:437 0740 UserName: Ryan
21:19:37:437 0740 Windows directory: C:\WINDOWS
21:19:37:437 0740 System windows directory: C:\WINDOWS
21:19:37:437 0740 Processor architecture: Intel x86
21:19:37:437 0740 Number of processors: 2
21:19:37:437 0740 Page size: 0x1000
21:19:37:437 0740 Boot type: Safe boot with network
21:19:37:437 0740 ================================================================================
21:19:37:796 0740 Initialize success
21:19:37:796 0740
21:19:37:796 0740 Scanning Services ...
21:19:38:890 0740 Raw services enum returned 334 services
21:19:38:906 0740
21:19:38:906 0740 Scanning Drivers ...
21:19:39:421 0740 14i313T (3cf64c74b24cc396a0327ab5d49cd91f) C:\WINDOWS\system32\drivers\14i313T.sys
21:19:39:484 0740 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:19:39:531 0740 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:19:39:578 0740 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:19:39:609 0740 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
21:19:39:625 0740 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:19:39:687 0740 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
21:19:39:750 0740 ALCXWDM (69cbb79ccccb7ab08f5e00109e9703bd) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
21:19:39:812 0740 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:19:39:859 0740 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:19:39:890 0740 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:19:39:968 0740 ati2mtag (956c7ec3a9de96f785b829beb41e3c3e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:19:40:031 0740 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:19:40:046 0740 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:19:40:078 0740 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:19:40:187 0740 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:19:40:218 0740 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:19:40:250 0740 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:19:40:265 0740 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:19:40:312 0740 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
21:19:40:343 0740 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:19:40:406 0740 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:19:40:453 0740 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:19:40:468 0740 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:19:40:500 0740 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:19:40:531 0740 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:19:40:578 0740 E1000 (89f28d9e011fd90dec6c0ece52c171bc) C:\WINDOWS\system32\DRIVERS\e1000325.sys
21:19:40:609 0740 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
21:19:40:640 0740 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
21:19:40:671 0740 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:19:40:703 0740 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:19:40:718 0740 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:19:40:734 0740 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:19:40:750 0740 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:19:40:765 0740 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:19:40:765 0740 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:19:40:796 0740 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
21:19:40:812 0740 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:19:40:828 0740 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:19:40:875 0740 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:19:40:953 0740 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:19:40:984 0740 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:19:41:015 0740 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:19:41:046 0740 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:19:41:078 0740 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:19:41:109 0740 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:19:41:140 0740 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:19:41:156 0740 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:19:41:187 0740 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:19:41:203 0740 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:19:41:218 0740 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:19:41:250 0740 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
21:19:41:281 0740 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:19:41:312 0740 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:19:41:343 0740 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:19:41:359 0740 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:19:41:375 0740 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:19:41:421 0740 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:19:41:437 0740 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:19:41:468 0740 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:19:41:515 0740 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:19:41:546 0740 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:19:41:562 0740 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:19:41:578 0740 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:19:41:593 0740 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:19:41:640 0740 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:19:41:656 0740 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
21:19:41:703 0740 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:19:41:718 0740 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:19:41:734 0740 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:19:41:750 0740 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:19:41:765 0740 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
21:19:41:781 0740 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:19:41:812 0740 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:19:41:843 0740 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:19:41:843 0740 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:19:41:890 0740 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:19:41:937 0740 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:19:41:953 0740 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:19:41:968 0740 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:19:41:984 0740 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:19:42:000 0740 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:19:42:015 0740 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:19:42:031 0740 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:19:42:046 0740 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:19:42:062 0740 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:19:42:093 0740 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:19:42:171 0740 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:19:42:187 0740 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:19:42:203 0740 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:19:42:234 0740 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:19:42:250 0740 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:19:42:296 0740 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:19:42:312 0740 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:19:42:328 0740 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:19:42:343 0740 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:19:42:359 0740 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:19:42:375 0740 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:19:42:421 0740 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:19:42:453 0740 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
21:19:42:500 0740 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:19:42:515 0740 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
21:19:42:546 0740 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
21:19:42:562 0740 SbcpHid (30d94039a729571146eb9d736ec1aadd) C:\WINDOWS\system32\Drivers\SbcpHid.sys
21:19:42:593 0740 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:19:42:625 0740 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:19:42:640 0740 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
21:19:42:656 0740 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
21:19:42:703 0740 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:19:42:718 0740 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
21:19:42:812 0740 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:19:42:859 0740 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:19:42:890 0740 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
21:19:42:921 0740 sscdbus (d6870895fe46a464a19141440eb6cc1e) C:\WINDOWS\system32\DRIVERS\sscdbus.sys
21:19:42:953 0740 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
21:19:42:984 0740 sscdmdm (55a15707e32b6709242ad127e62ca55a) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
21:19:43:031 0740 sscdserd (9fa66e361a99f8920c7609bae6814a0e) C:\WINDOWS\system32\DRIVERS\sscdserd.sys
21:19:43:062 0740 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:19:43:093 0740 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:19:43:156 0740 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:19:43:203 0740 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:19:43:250 0740 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:19:43:265 0740 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:19:43:281 0740 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:19:43:328 0740 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:19:43:390 0740 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:19:43:437 0740 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:19:43:468 0740 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:19:43:515 0740 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:19:43:562 0740 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:19:43:593 0740 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:19:43:625 0740 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:19:43:640 0740 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:19:43:687 0740 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:19:43:703 0740 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:19:43:734 0740 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:19:43:781 0740 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:19:43:828 0740 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
21:19:43:859 0740 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
21:19:43:875 0740 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:19:43:906 0740 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:19:43:921 0740 yukonwxp (a8d429e2268792638cffc57552c5e736) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
21:19:43:968 0740 zumbus (6bfb54f73aae470e9299e66cbc7bb632) C:\WINDOWS\system32\DRIVERS\zumbus.sys
21:19:43:968 0740
21:19:43:968 0740 Completed
21:19:43:968 0740
21:19:43:968 0740 Results:
21:19:43:968 0740 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:19:43:968 0740 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:19:43:968 0740
21:19:44:031 0740 KLMD(ARK) unloaded successfully



I just ran the renamed ComboFix.exe file and a small blue "timeline" bar appeared in the upper right corner of my screen. After that bar reached the end nothing else happened. I was not prompted for anything else, I did receive any pop-up windows and no text file was created (that I am aware of anyway). I do not believe I have any anti-virus or malware software currently running. Is the possible problem that I am running in Safe Mode?

Thanks again for any advice,
Ryan

#6 Ryan79

Ryan79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 15 July 2010 - 08:01 AM

Tom,

I reran ComboFix NOT in Safe Mode last night. It seemed to finish all of its "tasks" except when it got the screen where it said "preparing log" it just seemed to hang up. I let it run all night long but when I checked it this morning the same screen was still there and no log had been created.

Thanks again,
Ryan

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:52 PM

Posted 16 July 2010 - 02:27 PM

Hi,

  1. Please download MBR.exe and save it to your windows directory (usually C:\windows).
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    cmd /c mbr.exe -t >log.txt&start log.txt
  3. Press enter.
  4. An mbr.log should open. Please post its contents in your next reply.






Download MBRCheck.exe to your desktop
XP users > double click on MBRCheck.exe to run it
Vista and Windows 7 users > right click on MBRCheck.exe and select Run as Administrator
It will show a black screen with some data on it
Click on the black C:\ in the upper left hand corner of the black screen
Choose Edit > Select All > Press Enter to copy the data to your clip board
Press Enter again to close MBRCheck
Now open up notepad or wordpad and paste the data in (press Control+V)

Post the results in your reply





  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 Ryan79

Ryan79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 16 July 2010 - 03:16 PM

Tom,

Just in case this changes your recommendation any I wanted to let you know that I tried opening Firefox last night NOT in Safe Mode and it didn't crash! smile.gif So while ComboFix didn't "finish," or print a log anyway, it seems to have corrected something. I will probably wait to hear back from you before running the MBR.exe in case that bit of info makes you advise something different.

Thanks again,
Ryan

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:52 PM

Posted 18 July 2010 - 11:37 AM

Thanks for letting me know smile.gif.

But please follow the steps above smile.gif.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 Ryan79

Ryan79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 18 July 2010 - 07:43 PM

MBR Results:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK



MBR Check Results:

MBRCheck, version 1.1.1
© 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\G: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected


Done! Press ENTER to exit...


OTL Results:

OTL logfile created on: 7/18/2010 8:34:49 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Ryan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 584.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 46.57 Gb Total Space | 27.53 Gb Free Space | 59.11% Space Free | Partition Type: NTFS
Drive D: | 46.57 Gb Total Space | 44.16 Gb Free Space | 94.83% Space Free | Partition Type: NTFS
Drive E: | 46.57 Gb Total Space | 30.06 Gb Free Space | 64.56% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 93.18 Gb Total Space | 59.49 Gb Free Space | 63.85% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DESKTOP
Current User Name: Ryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/18 20:33:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ryan\Desktop\OTL.exe
PRC - [2010/06/26 04:41:17 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/06/26 04:41:08 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneNss.exe
PRC - [2010/01/07 15:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/06/10 04:27:03 | 000,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/09 11:09:58 | 000,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/02/26 12:53:30 | 000,065,024 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010/07/18 20:33:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ryan\Desktop\OTL.exe
MOD - [2010/06/26 04:41:12 | 000,169,432 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\nspr4.dll
MOD - [2010/06/26 04:41:11 | 000,718,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\mozcrt19.dll
MOD - [2008/04/13 20:12:10 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll
MOD - [2008/04/13 20:11:55 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iphlpapi.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\msapps\comsrvr.exe -- (COMServer)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2010/01/07 15:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Ryan\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/30 21:08:27 | 000,106,792 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2010/06/30 21:08:27 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG Mobile Modem Diagnostic Serial Port (WDM)
DRV - [2010/06/30 21:08:27 | 000,080,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2010/06/30 21:08:27 | 000,011,944 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2010/01/07 15:22:02 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2008/04/13 15:15:53 | 000,295,168 | ---- | M] (Creative Technology Ltd.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\14i313T.sys -- (14i313T)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/12/11 23:40:43 | 001,414,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/19 10:21:00 | 000,189,568 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2004/02/26 20:50:38 | 000,611,820 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/02/24 07:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2001/08/23 15:00:00 | 000,022,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 08:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 08:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 08:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 08:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.modularfords.com/forums/
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========



FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/08 21:29:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/08 21:33:22 | 000,000,000 | ---D | M]

[2010/07/08 21:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Mozilla\Extensions
[2010/07/18 13:32:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\811or135.default\extensions
[2010/07/08 21:29:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\811or135.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/08 21:34:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/14 21:57:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [{9A4B132E-2F32-B049-C7D5-922DB0FC642D}] C:\Documents and Settings\Ryan\Application Data\Vuun\qyefa.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\V CAST Media Monitor.lnk = C:\Program Files\V CAST Media Manager\MEMonitor.exe (Smith Micro, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/Facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1160884547045 (WUWebControl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD163A9A-A3D8-4F7D-8224-32F81AC29EDA} http://video.vividas.com/CDN1/5029_paramou.../vivid_ocx.jpeg (VPlayer Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/15 02:24:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/18 20:33:35 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ryan\Desktop\OTL.exe
[2010/07/14 21:56:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/14 21:40:40 | 000,000,000 | ---D | C] -- C:\schrauber
[2010/07/14 21:16:59 | 001,013,584 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Ryan\Desktop\TDSSKiller.exe
[2010/07/08 21:02:06 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/07/07 03:08:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/07/06 21:26:48 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/07/06 03:24:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ryan\Local Settings\Application Data\PCHealth
[2010/07/05 18:45:30 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/05 18:39:40 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/05 18:39:40 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/05 18:39:40 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/05 18:39:40 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/05 18:39:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/05 18:38:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/04 09:21:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/03 17:54:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\msapps
[2010/07/01 07:59:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/06/30 21:13:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ryan\Application Data\Smith Micro
[2010/06/30 21:12:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Motorola Shared
[2010/06/30 21:12:14 | 000,061,440 | ---- | C] (DEVGURU) -- C:\WINDOWS\System32\pthswmcp.dll
[2010/06/30 21:12:12 | 000,000,000 | ---D | C] -- C:\Program Files\PANTECH
[2010/06/30 21:11:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\VerizonWireless
[2010/06/30 21:11:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DGSETUP
[2010/06/30 21:10:55 | 000,000,000 | ---D | C] -- C:\Program Files\LG Electronics
[2010/06/30 21:10:41 | 000,106,792 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdmdm.sys
[2010/06/30 21:10:41 | 000,086,824 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdserd.sys
[2010/06/30 21:10:41 | 000,080,552 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdbus.sys
[2010/06/30 21:10:41 | 000,011,944 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdmdfl.sys
[2010/06/30 21:10:41 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdwhnt.sys
[2010/06/30 21:10:41 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdwh.sys
[2010/06/30 21:10:41 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdcmnt.sys
[2010/06/30 21:10:41 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdcm.sys
[2010/06/30 21:10:38 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung
[2010/06/30 21:09:48 | 000,000,000 | ---D | C] -- C:\Program Files\Research In Motion
[2010/06/30 21:09:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Research In Motion
[2010/06/30 21:09:20 | 000,000,000 | ---D | C] -- C:\Program Files\Xiph.Org
[2010/06/30 21:09:05 | 000,000,000 | ---D | C] -- C:\Program Files\V CAST Media Manager
[2010/06/30 21:09:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2010/06/29 21:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2010/06/27 21:14:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2010/06/27 21:14:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/06/27 21:14:18 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2010/06/27 13:48:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/06/27 13:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/06/24 15:29:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Identities
[2010/06/24 15:29:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Identities
[2010/06/06 13:22:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/06/06 13:22:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/06/01 22:47:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/01 22:47:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/18 20:47:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2010/05/18 20:47:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/05/18 20:46:54 | 000,000,000 | ---D | C] -- C:\Program Files\AIM7
[2008/12/11 22:50:48 | 000,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/18 20:33:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ryan\Desktop\OTL.exe
[2010/07/18 20:30:37 | 000,055,296 | ---- | M] () -- C:\Documents and Settings\Ryan\Desktop\MBRCheck.exe
[2010/07/18 20:27:53 | 000,077,312 | ---- | M] () -- C:\WINDOWS\mbr.exe
[2010/07/18 20:19:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/18 20:19:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/18 20:19:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/17 14:54:51 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Ryan\NTUSER.DAT
[2010/07/17 14:54:51 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ryan\ntuser.ini
[2010/07/15 22:43:16 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/14 21:57:34 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/14 21:57:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/14 21:26:01 | 003,739,209 | R--- | M] () -- C:\Documents and Settings\Ryan\Desktop\schrauber.exe
[2010/07/14 21:15:50 | 000,981,780 | ---- | M] () -- C:\Documents and Settings\Ryan\Desktop\tdsskiller.zip
[2010/07/12 18:34:55 | 000,002,481 | ---- | M] () -- C:\Documents and Settings\Ryan\Desktop\Microsoft Excel.lnk
[2010/07/10 15:09:38 | 001,568,656 | -H-- | M] () -- C:\Documents and Settings\Ryan\Local Settings\Application Data\IconCache.db
[2010/07/08 21:57:05 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Ryan\defogger_reenable
[2010/07/08 13:20:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/07 21:13:08 | 000,001,626 | ---- | M] () -- C:\Documents and Settings\Ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/07 21:13:08 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/07/07 03:10:51 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/07 03:08:57 | 000,501,230 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/07 03:08:57 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/07 03:08:57 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/06 21:31:10 | 000,000,821 | ---- | M] () -- C:\Documents and Settings\Ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/06 03:20:38 | 000,125,320 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/05 18:45:36 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/05 16:55:22 | 000,025,083 | ---- | M] () -- C:\Documents and Settings\Ryan\Desktop\bookmarks-2010-07-05.json
[2010/07/03 21:02:37 | 000,047,616 | ---- | M] () -- C:\WINDOWS\System32\bootetup.dll
[2010/07/03 17:52:09 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/07/03 17:51:20 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/06/30 21:15:43 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/06/30 21:15:43 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/06/30 21:14:00 | 000,020,800 | ---- | M] () -- C:\Documents and Settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/06/30 21:13:59 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\V CAST Media Monitor.lnk
[2010/06/30 21:09:26 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\V CAST Media Manager.lnk
[2010/06/30 21:08:27 | 000,106,792 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdmdm.sys
[2010/06/30 21:08:27 | 000,086,824 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdserd.sys
[2010/06/30 21:08:27 | 000,080,552 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdbus.sys
[2010/06/30 21:08:27 | 000,011,944 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdmdfl.sys
[2010/06/30 21:08:27 | 000,009,256 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdwhnt.sys
[2010/06/30 21:08:27 | 000,009,256 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdwh.sys
[2010/06/30 21:08:27 | 000,009,256 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdcmnt.sys
[2010/06/30 21:08:27 | 000,009,256 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdcm.sys
[2010/06/30 17:25:08 | 001,013,584 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Ryan\Desktop\TDSSKiller.exe
[2010/06/29 21:28:00 | 000,001,619 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2010/06/29 21:28:00 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2010/06/22 21:35:40 | 000,138,240 | ---- | M] () -- C:\Documents and Settings\Ryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/18 20:47:06 | 000,002,655 | -H-- | M] () -- C:\IPH.PH
[2010/05/18 20:47:02 | 000,001,609 | ---- | M] () -- C:\Documents and Settings\Ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
[2010/05/18 20:47:01 | 000,001,591 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/18 20:30:42 | 000,055,296 | ---- | C] () -- C:\Documents and Settings\Ryan\Desktop\MBRCheck.exe
[2010/07/18 20:29:50 | 000,000,289 | ---- | C] () -- C:\Documents and Settings\Ryan\mbr.log
[2010/07/18 20:29:50 | 000,000,289 | ---- | C] () -- C:\Documents and Settings\Ryan\log.txt
[2010/07/14 21:25:58 | 003,739,209 | R--- | C] () -- C:\Documents and Settings\Ryan\Desktop\schrauber.exe
[2010/07/14 21:15:50 | 000,981,780 | ---- | C] () -- C:\Documents and Settings\Ryan\Desktop\tdsskiller.zip
[2010/07/08 21:57:05 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Ryan\defogger_reenable
[2010/07/07 21:13:08 | 000,001,626 | ---- | C] () -- C:\Documents and Settings\Ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/07 21:13:08 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/07/07 20:58:39 | 000,025,083 | ---- | C] () -- C:\Documents and Settings\Ryan\Desktop\bookmarks-2010-07-05.json
[2010/07/05 18:45:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/05 18:45:32 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/05 18:39:40 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/05 18:39:40 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/05 18:39:40 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/05 18:39:40 | 000,077,312 | ---- | C] () -- C:\WINDOWS\mbr.exe
[2010/07/05 18:39:40 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/03 17:51:26 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\bootetup.dll
[2010/07/03 17:51:20 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/06/30 21:15:43 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/06/30 21:15:43 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/06/30 21:13:59 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\V CAST Media Monitor.lnk
[2010/06/30 21:09:26 | 000,000,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\V CAST Media Manager.lnk
[2010/06/27 21:14:18 | 000,001,619 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2010/06/27 21:14:18 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2010/06/10 13:35:55 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/18 20:47:01 | 000,001,591 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2009/07/07 21:52:14 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/12/11 22:50:48 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2008/04/06 22:28:06 | 000,152,624 | ---- | C] () -- C:\WINDOWS\System32\WIN2PDFS.DLL
[2008/04/06 22:28:06 | 000,021,552 | ---- | C] () -- C:\WINDOWS\System32\WIN2PDFM.DLL
[2008/04/06 22:28:06 | 000,000,981 | ---- | C] () -- C:\WINDOWS\1way.ini
[2007/08/13 12:20:20 | 002,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2007/08/13 12:20:20 | 000,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2007/08/13 12:20:20 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2007/08/13 12:20:20 | 000,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2007/08/13 12:20:19 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\cdga.dll
[2007/02/15 23:34:12 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007/02/05 20:52:40 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/02/05 20:52:26 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/12/27 18:55:48 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/15 02:33:09 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2006/10/15 02:31:42 | 000,003,223 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/10/15 02:31:41 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/10/14 23:50:19 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/10/14 23:50:19 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2006/10/14 23:40:31 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/10/14 15:44:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2001/08/23 15:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys

========== LOP Check ==========

[2008/11/22 11:52:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2010/05/18 20:47:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2008/11/22 11:52:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM Toolbar
[2009/02/17 21:59:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/02/17 19:03:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2010/06/30 21:09:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2010/02/09 22:02:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2009/06/29 21:41:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/04/13 20:35:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2006/12/27 18:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\acccore
[2006/10/15 17:50:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Aim
[2010/02/22 20:47:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Facebook
[2008/12/27 19:30:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\GARMIN
[2008/04/23 21:14:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Leadertech
[2010/07/14 21:39:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Nauf
[2007/08/20 20:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\NCH Swift Sound
[2007/07/09 18:53:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Netscape
[2009/07/07 21:52:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\pdf995
[2007/07/16 21:52:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\RecordPad
[2010/06/30 21:13:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Smith Micro
[2006/10/29 22:03:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Snapfish
[2010/02/17 19:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\TaxCut
[2007/06/23 21:22:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/10/14 15:30:03 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/17 10:40:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2006/10/14 15:30:03 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/01/17 10:40:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\Qoobox\32788R22FWJFW\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 16:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2006/10/14 15:30:03 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/17 10:40:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2006/10/14 15:30:03 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/01/17 10:40:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\Qoobox\32788R22FWJFW\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2001/08/17 16:51:56 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[2001/08/17 16:51:56 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2008/04/13 15:15:53 | 000,295,168 | ---- | M] (Creative Technology Ltd.) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\14i313T.sys

< %systemroot%\System32\config\*.sav >
[2006/10/14 19:13:43 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/10/14 19:13:43 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/10/14 19:13:43 | 000,417,792 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemdrive%\*.sys /90 /md5 >
[2010/07/18 20:19:45 | 1610,612,736 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys
[3 C:\*.tmp files -> C:\*.tmp -> ]
< End of report >



Extras Results:

OTL Extras logfile created on: 7/18/2010 8:34:49 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Ryan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 584.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 46.57 Gb Total Space | 27.53 Gb Free Space | 59.11% Space Free | Partition Type: NTFS
Drive D: | 46.57 Gb Total Space | 44.16 Gb Free Space | 94.83% Space Free | Partition Type: NTFS
Drive E: | 46.57 Gb Total Space | 30.06 Gb Free Space | 64.56% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 93.18 Gb Total Space | 59.49 Gb Free Space | 63.85% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DESKTOP
Current User Name: Ryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10244:TCP" = 10244:TCP:LocalSubNet:Enabled:Zune Network Sharing Service
"10285:UDP" = 10285:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10286:UDP" = 10286:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10287:UDP" = 10287:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10288:UDP" = 10288:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10289:UDP" = 10289:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10244:TCP" = 10244:TCP:LocalSubNet:Enabled:Zune Network Sharing Service
"10285:UDP" = 10285:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10286:UDP" = 10286:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10287:UDP" = 10287:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10288:UDP" = 10288:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10289:UDP" = 10289:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\AIM7\aim.exe" = C:\Program Files\AIM7\aim.exe:*:Enabled:AIM -- (AOL Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{08DEC21F-F7E5-46F9-81D1-3ED30BD3AEC9}" = CASIO USB Driver V1.2.2474.0623
"{1AC0D592-7F2C-4BBF-B823-EEECD74F097B}" = TaxCut North Carolina 2007
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{370BCBBA-67D7-4535-ADCD-58CD1C8DEC99}" = Zune Language Pack (DE)
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{40EC6323-497B-44DA-8A88-74578622D9B3}" = Zune Language Pack (IT)
"{4AFE8B2D-79BD-48C0-B9DF-79A92DB918E2}" = TaxCut North Carolina 2008
"{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009
"{5D51C5DC-3604-4C3B-981B-309340755447}" = Pantech Handset Driver
"{61100673-2546-42E1-BF92-467B5CB2AC6D}" = DeductionPro 2008
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{86B32074-0F48-4CF9-BA4B-529B470FB47F}" = BlackBerry Desktop Software 5.0
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{8A5EBB62-ADE7-41E2-8884-1517DE3505D1}" = DeductionPro 2007
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}" = TTS Wrapper
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A34D0A4C-4E3E-46F2-9495-D1AEAF7397CE}" = H&R Block North Carolina 2009
"{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}" = Apple Software Update
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}" = Microsoft Streets & Trips 2007
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}" = TaxCut Premium + State + Efile 2007
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{E7269FD6-34EA-4617-8752-6739AA384080}" = V CAST Media Manager
"{E9ED0801-253D-4FE9-AB20-F63DEFE72547}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}" = QuickTime
"{F6970FBD-809A-4C51-BAB3-D94A04C6C8E7}" = Garmin Communicator Plugin
"{FB068BA4-C6EA-4D47-A491-C40E23E77F89}" = Motorola Driver Installation 3.9.0
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FDF64A37-4842-48CD-A424-2C38444D36FD}" = LG Android Drivers
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"AIM Toolbar" = AIM Toolbar
"AIM_7" = AIM 7
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Instant Messenger" = AOL Instant Messenger
"ATI Display Driver" = ATI Display Driver
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"BlackBerry_{86B32074-0F48-4CF9-BA4B-529B470FB47F}" = BlackBerry Desktop Software 5.0
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CSCLIB" = Canon Camera Support Core Library
"Cucusoft DVD to Zune + Zune Video Converter Suite_is1" = Cucusoft DVD to Zune + Zune Video Converter Suite 5.17.5.5
"DeductionPro 2006" = DeductionPro 2006
"DTCLookup" = DTCLookup
"EOS Utility" = Canon Utilities EOS Utility
"ExpressBurn" = Express Burn
"getPlus®_ocx" = getPlus®_ocx
"Guitar Pro 5_is1" = Guitar Pro 5.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{E9ED0801-253D-4FE9-AB20-F63DEFE72547}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Ogg Codecs" = Ogg Codecs 0.81.15562
"Pdf995" = Pdf995 (installed by TaxCut)
"PdfEdit995" = PdfEdit995 (installed by TaxCut)
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Adapters and Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Streamripper.Plugin" = Streamripper Plugin 1.62.2 (Remove only)
"Switch" = Switch Sound File Converter
"TaxCut Premium 2006" = TaxCut Premium 2006
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Win2PDF_is1" = Win2PDF 3.30
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPEP 7" = WinPEP 7
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
"Zune" = Zune

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/18/2010 1:44:56 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3828, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2010 1:44:59 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1934462083.

Error - 7/18/2010 1:51:48 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3828, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2010 1:51:51 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1934462083.

Error - 7/18/2010 2:02:20 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3828, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2010 2:02:23 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1934462083.

Error - 7/18/2010 2:04:03 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3828, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2010 2:04:05 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1934462083.

Error - 7/18/2010 8:25:49 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3828, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2010 8:25:51 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1934462083.

[ System Events ]
Error - 7/18/2010 6:21:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 6:33:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 6:45:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 6:57:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 7:09:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 7:21:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 7:33:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 7:45:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 7:57:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/18/2010 8:09:50 PM | Computer Name = DESKTOP | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.


< End of report >


Much thanks again Tom.

Sincerely,
Ryan

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:52 PM

Posted 20 July 2010 - 11:40 AM

Hi,

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.





Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")




How is it running now?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 Ryan79

Ryan79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 20 July 2010 - 12:30 PM

Tom,

I will make those changes when I get home today.

Currently the computer seems to run OK. FireFox seems to be crashing much more frequently than before, especially on message forums like this one and on email accounts (particularly when submitting new posts or emails). Maybe that is a hardware issue but it never crashed with such frequency before.

Thanks again,
Ryan

#13 Ryan79

Ryan79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 20 July 2010 - 08:43 PM

Alrighty,

Viewpoint is all erased and the most recent version of Java is installed. Tonight though FF seems to crash EVERY time I try and send an email.

Thanks again,
Ryan

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:52 PM

Posted 23 July 2010 - 01:43 PM

You mean Firefox? Please uninstall and reinstall it, also please pst back with a fresh OTL logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:52 PM

Posted 25 July 2010 - 01:55 AM

Any problems? smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users