Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor Hidden Rootkit Causing Site Redirection+Random Tabs


  • Please log in to reply
47 replies to this topic

#1 Fennec

Fennec

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 05 August 2010 - 08:22 PM

Hi,

A few days ago my computer got infected with an Antimalware Doctor infection. I ran Spybot S&D and Antimalwarebytes which seems to have removed most of my problems. However, while I am browsing, google redirects me to ad pages or random tabs pop up in firefox with ads or reported attack pages. Not even Hitmen Pro 3.5 was able to get rid of it though it did warn me about a hidden rootkit on my system.

The following is my DDS log

DDS (Ver_10-03-17.01) - NTFSx86
Run by Christian at 18:35:18.93 on Thu 08/05/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vistaâ„¢ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2075 [GMT -6:00]


============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k rpcss
C:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k NetworkService
C:Windowssystem32Dwm.exe
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32AEADISRV.EXE
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32taskeng.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32notepad.exe
C:Windowsexplorer.exe
C:Program FilesAutoHotkeyAutoHotkey.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowssystem32wbemwmiprvse.exe
C:WindowsservicingTrustedInstaller.exe
C:Windowssystem32wuauclt.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowssystem32vssvc.exe
C:WindowsSystem32svchost.exe -k swprv
C:UsersChristianDownloadsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFree.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFree.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFree.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFree.dll
uRun: [AeroSnap] c:program filesaerosnapAeroSnap.exe
uRun: [RocketDock] "c:program filesrocketdockRocketDock.exe"
uRun: [Thunderbird] "c:program filesmozilla thunderbirdthunderbird" -turbo
mRun: [Everything] "c:program fileseverythingEverything.exe" -startup
mRun: [MSSE] "c:program filesmicrosoft security essentialsmsseces.exe" -hide -runkey
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupautoho~1.lnk - c:program filesautohotkeyAutoHotkey.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:program filescommon filespure networks sharedplatformpuresp4.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%System32DreamScene.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%system32soundschemes.exe /AddRegistration

================= FIREFOX ===================

FF - ProfilePath - c:userschrist~1appdataroamingmozillafirefoxprofilesv862mytj.default
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:userschristianappdataroamingmozillafirefoxprofilesv862mytj.defaultextensions{6ac85730-7d0f-4de0-b3fa-21142dd85326}platformwinntcomponentsColorZilla.dll
FF - plugin: c:program filescommon filesresearch in motionbbwebsllauncherNPWebSLLauncher.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpFoxitReaderPlugin.dll
FF - plugin: c:program filesnvidia corporation3d visionnpnv3dv.dll
FF - plugin: c:program filesnvidia corporation3d visionnpnv3dvstreaming.dll
FF - plugin: c:userschristianappdatalocalgoogleupdate1.2.183.7npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 1UnHooker;1UnHooker;c:windowssystem32drivers1UnHooker.sys [2010-3-2 22016]
R1 MpFilter;Microsoft Malware Protection Driver;c:windowssystem32driversMpFilter.sys [2010-3-25 151216]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:windowssystem32driversRtlProt.sys [2009-5-10 15360]
R1 VBoxDrv;VirtualBox Service;c:windowssystem32driversVBoxDrv.sys [2009-10-30 115856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:windowssystem32driversVBoxUSBMon.sys [2009-10-30 41424]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:windowssystem32driversRTL8187.sys [2008-6-27 335872]
R3 VBoxNetFlt;VBoxNetFlt Service;c:windowssystem32driversVBoxNetFlt.sys [2009-10-7 103568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:windowsmicrosoft.netframeworkv4.0.30319mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:windowssystem32svchost.exe -k LocalServiceAndNoImpersonation [2009-1-23 21504]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:windowssystem32driverbleepmanpro35.sys [2010-8-5 16968]
S3 L;L;c:userschrist~1appdatalocaltempl.exe --> c:userschrist~1appdatalocaltempL.exe [?]
S3 LHQR;LHQR;c:userschrist~1appdatalocaltemplhqr.exe --> c:userschrist~1appdatalocaltempLHQR.exe [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:windowssystem32driversMpNWMon.sys [2010-3-25 42368]
S3 QNVVMWRSYEJIXEJW;QNVVMWRSYEJIXEJW;c:userschrist~1appdatalocaltempqnvvmwrsyejixejw.exe --> c:userschrist~1appdatalocaltempQNVVMWRSYEJIXEJW.exe [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:windowssystem32driversVBoxNetAdp.sys [2009-10-7 94992]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:windowsmicrosoft.netframeworkv4.0.30319wpfWPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:windowssystem32driversWsAudio_DeviceS(1).sys [2010-2-13 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:windowssystem32driversWsAudio_DeviceS(2).sys [2010-2-13 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:windowssystem32driversWsAudio_DeviceS(3).sys [2010-2-13 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:windowssystem32driversWsAudio_DeviceS(4).sys [2010-2-13 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:windowssystem32driversWsAudio_DeviceS(5).sys [2010-2-13 25704]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:program filesnvidia corporation3d visionnvSCPAPISvr.exe [2010-6-7 240232]

=============== Created Last 30 ================

2010-08-06 04:16:03 98816 ----a-w- c:windowssed.exe
2010-08-06 04:16:03 77312 ----a-w- c:windowsMBR.exe
2010-08-06 04:16:03 256512 ----a-w- c:windowsPEV.exe
2010-08-06 04:16:03 161792 ----a-w- c:windowsSWREG.exe
2010-08-06 04:05:56 16968 ----a-w- c:windowssystem32driverbleepmanpro35.sys
2010-08-06 04:04:40 0 d-----w- c:programdataHitman Pro
2010-08-06 04:04:25 0 d-----w- c:program filebleepman Pro 3.5
2010-08-06 00:29:23 0 d-sh--w- C:$RECYCLE.BIN
2010-08-05 23:47:45 0 ----a-w- c:userschristiandefogger_reenable
2010-08-05 23:32:11 0 ----a-w- c:windowssystem32CMYRHCKQY
2010-08-05 23:18:55 0 d-----w- c:program filesTizerâ„¢ Rootkit Razor
2010-08-05 23:09:05 134464 ----a-w- c:windowssystem32LnkProtect.dll
2010-08-05 23:00:41 12872 ----a-w- c:windowssystem32bootdelete.exe
2010-08-05 03:17:19 0 d-----w- c:program filesAVG
2010-08-05 02:50:34 266460760 ----a-w- c:windowsMEMORY.DMP
2010-08-05 02:48:23 0 d-----w- c:program filesSoftwin
2010-08-05 01:55:45 0 d-----w- c:program filesMicrosoft Security Essentials
2010-08-04 01:24:54 0 d-----w- c:programdataSpybot - Search & Destroy
2010-08-04 01:24:54 0 d-----w- c:program filesSpybot - Search & Destroy
2010-08-04 00:36:38 0 d-----w- c:programdataRegCure
2010-07-30 02:09:52 0 d-----w- c:program filesBBSAK
2010-07-29 23:03:13 0 d-----w- c:program filesRocketDock
2010-07-29 22:57:05 0 d-----w- c:userschrist~1appdataroamingDoomi.809F847005C7832B69625A614BB25CA209244440.1
2010-07-29 22:56:56 0 d-----w- c:program filesDoomi
2010-07-29 19:08:39 0 d-----w- c:programdataAlwil Software
2010-07-29 18:40:56 0 d-----w- c:program filesConduit
2010-07-29 18:40:42 0 d-----w- c:program filesFreecorder
2010-07-29 18:25:27 0 d-----w- c:windowsFreecorder
2010-07-29 18:12:22 0 d-----w- c:program filesiPod
2010-07-28 23:14:49 0 d-----w- c:userschrist~1appdataroamingJGsoft
2010-07-28 23:14:31 66800 ----a-w- c:windowsUnDeployV.exe
2010-07-20 03:03:38 150 ----a-w- C:zrpt.xml
2010-07-19 20:53:32 256 ----a-w- c:windowssystem32pool.bin
2010-07-19 20:53:30 0 d-----w- c:userschrist~1appdataroamingResearch In Motion
2010-07-19 20:51:00 27136 ----a-w- c:windowssystem32driversRimSerial.sys
2010-07-19 20:50:33 0 d-----w- c:programdataResearch In Motion
2010-07-19 20:50:18 0 d-----w- c:program filescommon filesResearch In Motion
2010-07-19 20:50:15 0 d-----w- c:program filesResearch In Motion
2010-07-16 19:26:12 0 d-----w- c:program filesRainmeter
2010-07-13 17:13:08 0 d-----w- c:program filesFreeMind

==================== Find3M ====================

2010-08-06 00:29:44 37301 ----a-w- c:programdatanvModes.dat
2010-07-30 02:23:30 51200 ----a-w- c:windowsinfinfpub.dat
2010-07-30 02:23:30 143360 ----a-w- c:windowsinfinfstrng.dat
2010-07-30 02:23:24 86016 ----a-w- c:windowsinfinfstor.dat
2010-07-16 19:32:41 330908 ----a-w- c:windowsfontssegoeuil.ttf
2010-06-15 18:30:17 2568 --sha-w- c:programdataKGyGaAvL.sys
2010-06-12 21:21:47 21 ----a-w- c:userschristianDoddleWebPhone.dat
2010-06-07 23:48:04 13917800 ----a-w- c:windowssystem32nvcpl.dll
2010-06-07 23:48:04 1331816 ----a-w- c:windowssystem32nvsvc.dll
2010-06-07 23:48:04 129640 ----a-w- c:windowssystem32nvvsvc.exe
2010-06-07 23:48:04 110696 ----a-w- c:windowssystem32nvmctray.dll
2010-05-28 18:58:26 600680 ----a-w- c:windowssystem32nvuninst.exe
2010-05-26 17:06:41 34304 ----a-w- c:windowssystem32atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:windowssystem32atmfd.dll
2010-05-21 20:14:28 221568 ------w- c:windowssystem32MpSigStub.exe
2010-05-18 22:35:16 91424 ----a-w- c:windowssystem32dnssd.dll
2010-05-18 22:35:16 107808 ----a-w- c:windowssystem32dns-sd.exe
2010-04-10 21:51:42 21508 ------w- c:program files.DS_Store
2010-03-22 03:37:39 665600 ----a-w- c:windowsinfdrvindex.dat
2009-01-24 00:51:12 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2009-12-09 03:32:50 16384 --sha-w- c:windowsserviceprofileslocalserviceappdatalocaltempcookiesindex.dat
2009-12-09 03:32:50 16384 --sha-w- c:windowsserviceprofileslocalserviceappdatalocaltemphistoryhistory.ie5index.dat
2009-12-09 03:32:50 32768 --sha-w- c:windowsserviceprofileslocalserviceappdatalocaltemptemporary internet filescontent.ie5index.dat
2010-04-05 03:54:33 245760 --sha-w- c:windowsserviceprofileslocalserviceappdataroamingmicrosoftwindowsietldcacheindex.dat
2009-12-09 03:22:19 16384 --sha-w- c:windowsserviceprofilesnetworkserviceappdatalocaltempcookiesindex.dat
2009-12-09 03:22:19 16384 --sha-w- c:windowsserviceprofilesnetworkserviceappdatalocaltemphistoryhistory.ie5index.dat
2009-12-09 03:22:19 32768 --sha-w- c:windowsserviceprofilesnetworkserviceappdatalocaltemptemporary internet filescontent.ie5index.dat
2009-10-18 04:48:25 344064 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowsietldcacheindex.dat
2009-12-09 14:13:41 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftfeeds cacheindex.dat
2009-12-09 14:12:07 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistoryhistory.ie5mshist012009120920091210index.dat
2009-05-31 23:32:33 16384 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistorylowhistory.ie5index.dat
2009-05-31 23:32:33 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowstemporary internet fileslowcontent.ie5index.dat
2009-05-31 23:32:33 16384 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftwindowscookieslowindex.dat
2009-12-09 14:13:41 16384 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftwindowsprivacieindex.dat
2009-12-09 14:13:41 16384 --sha-w- c:windowssystem32configsystemprofiledesktop%appdata%microsoftwindowsietldcacheindex.dat
2006-11-22 14:58:11 8192 --sha-w- c:windowsusersdefaultNTUSER.DAT

============= FINISH: 18:35:41.19 ===============

A few more details regarding this virus:

It wont let me access windows update and the actual site for manual windows updates is blocked.
It seems I am infected with a variant of the tdl3+ rootkit...even though several products claim to remove this, none so far have although some have detected it

Attached Files


Edited by Budapest, 08 August 2010 - 04:16 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:41 PM

Posted 14 August 2010 - 01:30 AM

Hi Fennec,

Welcome to Bleeping Computer!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

STEP 1 - MBAM

Note: In the event that you already have MBAM installed, you do not need to reinstall it. Simply Updating it and doing a Quickscan is sufficient.

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • GMER Log
  • OTL Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 Fennec

Fennec
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 14 August 2010 - 03:30 PM

Hi here are the logs you requested. MBAM detected a malware trace but the redirects still exist. The Extras.txt from OTL is attached as a file.

MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4428

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/14/2010 10:56:47 AM
mbam-log.txt

Scan type: Quick scan
Objects scanned: 145608
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-14 14:13:10
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\CHRIST~1\AppData\Local\Temp\kwddipod.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? 86FB3BF8
INT 0x62 ? 86FB3BF8
INT 0x72 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x92 ? 86FB3BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spew.sys The system cannot find the path specified. !
PAGE ataport.SYS!DllUnload 82D68B2E 5 Bytes JMP 8555C1D8
.text USBPORT.SYS!DllUnload 8F95241B 5 Bytes JMP 86FB31D8
PAGE spsys.sys!?SPVersion@@3PADA + 1ABF A045003F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 1 Byte [16]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 A0450130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 A0450137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0063000A
.text C:\Windows\system32\svchost.exe[1184] ole32.dll!CoCreateInstance 766B9EA6 5 Bytes JMP 0099000A
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!GetCursorPos 77980B88 5 Bytes JMP 013A000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0048000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0049000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0047000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 016B000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 016C000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0050000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85EE51F8
Device \FileSystem\udfs \UdfsCdRom 8769A1F8
Device \FileSystem\udfs \UdfsDisk 8769A1F8
Device \Driver\volmgr \Device\VolMgrControl 8555E1F8
Device \Driver\usbuhci \Device\USBPDO-0 86E871F8
Device \Driver\usbuhci \Device\USBPDO-1 86E871F8
Device \Driver\usbuhci \Device\USBPDO-2 86E871F8
Device \Driver\usbehci \Device\USBPDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBPDO-4 86E871F8
Device \Driver\usbuhci \Device\USBPDO-5 86E871F8
Device \Driver\usbuhci \Device\USBPDO-6 86E871F8
Device \Driver\volmgr \Device\HarddiskVolume1 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 86F2F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 871761F8
Device \Driver\netbt \Device\NetBt_Wins_Export 876A6500
Device \Driver\Smb \Device\NetbiosSmb 872EE1F8
Device \Driver\iScsiPrt \Device\RaidPort0 871831F8
Device \Driver\netbt \Device\NetBT_Tcpip_{28B3D8F2-F0FB-4318-9417-7F3739B50CB4} 876A6500
Device \Driver\usbuhci \Device\USBFDO-0 86E871F8
Device \Driver\usbuhci \Device\USBFDO-1 86E871F8
Device \Driver\usbuhci \Device\USBFDO-2 86E871F8
Device \Driver\usbehci \Device\USBFDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBFDO-4 86E871F8
Device \Driver\usbuhci \Device\USBFDO-5 86E871F8
Device \Driver\usbuhci \Device\USBFDO-6 86E871F8
Device \Driver\usbehci \Device\USBFDO-7 86F2F1F8
Device \Driver\VClone \Device\Scsi\VClone1Port5Path0Target0Lun0 871A81F8
Device \Driver\VClone \Device\Scsi\VClone1 871A81F8
Device \FileSystem\cdfs \Cdfs 881CD1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...

---- EOF - GMER 1.0.15 ----

OTL Log

OTL logfile created on: 8/14/2010 2:15:32 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Christian\Downloads
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 174.80 Gb Total Space | 123.28 Gb Free Space | 70.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRISTIAN
Current User Name: Christian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (aspnet_state) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetTcpActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetPipeActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetMsmqActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (nmservice) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AEADIFilters) -- C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Driver Services (SafeList) ==========

DRV - (SjyPkt) -- C:\Windows\System32\Drivers\SjyPkt.sys File not found
DRV - (pcmcia) -- C:\Windows\System32\drivers\pcmcia.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (ElbyCDIO) -- C:\Windows\System32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (atapi) -- C:\Windows\system32\drivers\kav_atapi.sys ()
DRV - (WsAudio_DeviceS(5)) WsAudio_DeviceS(5) -- C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys (Wondershare)
DRV - (WsAudio_DeviceS(4)) WsAudio_DeviceS(4) -- C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys (Wondershare)
DRV - (WsAudio_DeviceS(3)) WsAudio_DeviceS(3) -- C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys (Wondershare)
DRV - (WsAudio_DeviceS(2)) WsAudio_DeviceS(2) -- C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys (Wondershare)
DRV - (WsAudio_DeviceS(1)) WsAudio_DeviceS(1) -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys (Wondershare)
DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
DRV - (truecrypt) -- C:\Windows\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (VBoxNetAdp) -- C:\Windows\System32\drivers\VBoxNetAdp.sys (Sun Microsystems, Inc.)
DRV - (VBoxUSBMon) -- C:\Windows\System32\drivers\VBoxUSBMon.sys (Sun Microsystems, Inc.)
DRV - (VBoxDrv) -- C:\Windows\System32\drivers\VBoxDrv.sys (Sun Microsystems, Inc.)
DRV - (VBoxNetFlt) -- C:\Windows\System32\drivers\VBoxNetFlt.sys (Sun Microsystems, Inc.)
DRV - (VClone) -- C:\Windows\System32\drivers\VClone.sys (Elaborate Bytes AG)
DRV - (purendis) -- C:\Windows\System32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\Windows\System32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (tbhsd) -- C:\Windows\System32\drivers\tbhsd.sys (RapidSolution Software AG)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (RTL8187) -- C:\Windows\System32\drivers\RTL8187.sys (Realtek Semiconductor Corporation )
DRV - (tapvpn) -- C:\Windows\System32\drivers\tapvpn.sys (The OpenVPN Project)
DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
DRV - (ADIHdAudAddService) -- C:\Windows\System32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (RtlProt) -- C:\Windows\System32\drivers\RtlProt.sys (Windows ® Codename Longhorn DDK provider)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 64 BF F1 EB D8 C9 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.5.4
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: Strata40@SpewBoy.au:0.6.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/08/07 10:46:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/08/04 18:45:49 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions
[2010/08/04 18:45:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/01/17 22:01:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\songbird@songbirdnest.com
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions
[2010/08/12 10:17:59 | 000,000,000 | ---D | M] (Screengrab) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/02 20:58:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}
[2010/07/14 20:19:29 | 000,000,000 | ---D | M] (Readability) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}(19)
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010/02/07 23:15:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{989e9382-d540-4189-88d1-fc54a949a387}
[2010/07/15 23:25:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/08/10 18:01:54 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/19 20:59:44 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(10606)
[2010/07/11 20:55:30 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(36)
[2009/09/17 21:57:06 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}(37)
[2009/12/02 20:57:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2009/12/15 21:33:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\bettergmail2@ginatrapani.org
[2009/08/24 11:57:09 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\chromifox@altmusictv(91).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\firebug@software.joehewitt.com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\grwatcher@ajnasz.hu
[2009/09/17 22:23:04 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\LogMeInClient@logmein(36).com
[2010/07/15 12:55:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk(35).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk.com
[2010/02/14 00:25:31 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\opera10skin@firefox.theme
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au
[2010/07/16 14:27:47 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au\chrome\mozapps\extensions
[2009/06/20 11:10:42 | 000,002,164 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\bing.xml
[2010/08/11 14:16:09 | 000,001,879 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\skreemr-audio-search.xml
[2009/06/20 11:11:43 | 000,001,980 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\wolframalpha.xml
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/06 12:05:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/03/17 17:44:32 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitR

Hi here are the logs you requested. MBAM detected a malware trace but the redirects still exist. The Extras.txt from OTL is attached as a file.

MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4428

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/14/2010 10:56:47 AM
mbam-log.txt

Scan type: Quick scan
Objects scanned: 145608
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-14 14:13:10
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\CHRIST~1\AppData\Local\Temp\kwddipod.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? 86FB3BF8
INT 0x62 ? 86FB3BF8
INT 0x72 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x92 ? 86FB3BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spew.sys The system cannot find the path specified. !
PAGE ataport.SYS!DllUnload 82D68B2E 5 Bytes JMP 8555C1D8
.text USBPORT.SYS!DllUnload 8F95241B 5 Bytes JMP 86FB31D8
PAGE spsys.sys!?SPVersion@@3PADA + 1ABF A045003F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 1 Byte [16]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 A0450130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 A0450137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0063000A
.text C:\Windows\system32\svchost.exe[1184] ole32.dll!CoCreateInstance 766B9EA6 5 Bytes JMP 0099000A
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!GetCursorPos 77980B88 5 Bytes JMP 013A000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0048000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0049000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0047000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 016B000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 016C000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0050000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85EE51F8
Device \FileSystem\udfs \UdfsCdRom 8769A1F8
Device \FileSystem\udfs \UdfsDisk 8769A1F8
Device \Driver\volmgr \Device\VolMgrControl 8555E1F8
Device \Driver\usbuhci \Device\USBPDO-0 86E871F8
Device \Driver\usbuhci \Device\USBPDO-1 86E871F8
Device \Driver\usbuhci \Device\USBPDO-2 86E871F8
Device \Driver\usbehci \Device\USBPDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBPDO-4 86E871F8
Device \Driver\usbuhci \Device\USBPDO-5 86E871F8
Device \Driver\usbuhci \Device\USBPDO-6 86E871F8
Device \Driver\volmgr \Device\HarddiskVolume1 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 86F2F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 871761F8
Device \Driver\netbt \Device\NetBt_Wins_Export 876A6500
Device \Driver\Smb \Device\NetbiosSmb 872EE1F8
Device \Driver\iScsiPrt \Device\RaidPort0 871831F8
Device \Driver\netbt \Device\NetBT_Tcpip_{28B3D8F2-F0FB-4318-9417-7F3739B50CB4} 876A6500
Device \Driver\usbuhci \Device\USBFDO-0 86E871F8
Device \Driver\usbuhci \Device\USBFDO-1 86E871F8
Device \Driver\usbuhci \Device\USBFDO-2 86E871F8
Device \Driver\usbehci \Device\USBFDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBFDO-4 86E871F8
Device \Driver\usbuhci \Device\USBFDO-5 86E871F8
Device \Driver\usbuhci \Device\USBFDO-6 86E871F8
Device \Driver\usbehci \Device\USBFDO-7 86F2F1F8
Device \Driver\VClone \Device\Scsi\VClone1Port5Path0Target0Lun0 871A81F8
Device \Driver\VClone \Device\Scsi\VClone1 871A81F8
Device \FileSystem\cdfs \Cdfs 881CD1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...

---- EOF - GMER 1.0.15 ----

OTL Log

OTL logfile created on: 8/14/2010 2:15:32 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Christian\Downloads
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 174.80 Gb Total Space | 123.28 Gb Free Space | 70.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRISTIAN
Current User Name: Christian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (aspnet_state) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetTcpActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetPipeActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetMsmqActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (nmservice) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AEADIFilters) -- C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Driver Services (SafeList) ==========

DRV - (SjyPkt) -- C:\Windows\System32\Drivers\SjyPkt.sys File not found
DRV - (pcmcia) -- C:\Windows\System32\drivers\pcmcia.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (ElbyCDIO) -- C:\Windows\System32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (atapi) -- C:\Windows\system32\drivers\kav_atapi.sys ()
DRV - (WsAudio_DeviceS(5)) WsAudio_DeviceS(5) -- C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys (Wondershare)
DRV - (WsAudio_DeviceS(4)) WsAudio_DeviceS(4) -- C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys (Wondershare)
DRV - (WsAudio_DeviceS(3)) WsAudio_DeviceS(3) -- C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys (Wondershare)
DRV - (WsAudio_DeviceS(2)) WsAudio_DeviceS(2) -- C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys (Wondershare)
DRV - (WsAudio_DeviceS(1)) WsAudio_DeviceS(1) -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys (Wondershare)
DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
DRV - (truecrypt) -- C:\Windows\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (VBoxNetAdp) -- C:\Windows\System32\drivers\VBoxNetAdp.sys (Sun Microsystems, Inc.)
DRV - (VBoxUSBMon) -- C:\Windows\System32\drivers\VBoxUSBMon.sys (Sun Microsystems, Inc.)
DRV - (VBoxDrv) -- C:\Windows\System32\drivers\VBoxDrv.sys (Sun Microsystems, Inc.)
DRV - (VBoxNetFlt) -- C:\Windows\System32\drivers\VBoxNetFlt.sys (Sun Microsystems, Inc.)
DRV - (VClone) -- C:\Windows\System32\drivers\VClone.sys (Elaborate Bytes AG)
DRV - (purendis) -- C:\Windows\System32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\Windows\System32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (tbhsd) -- C:\Windows\System32\drivers\tbhsd.sys (RapidSolution Software AG)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (RTL8187) -- C:\Windows\System32\drivers\RTL8187.sys (Realtek Semiconductor Corporation )
DRV - (tapvpn) -- C:\Windows\System32\drivers\tapvpn.sys (The OpenVPN Project)
DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
DRV - (ADIHdAudAddService) -- C:\Windows\System32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (RtlProt) -- C:\Windows\System32\drivers\RtlProt.sys (Windows ® Codename Longhorn DDK provider)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 64 BF F1 EB D8 C9 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.5.4
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: Strata40@SpewBoy.au:0.6.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/08/07 10:46:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/08/04 18:45:49 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions
[2010/08/04 18:45:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/01/17 22:01:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\songbird@songbirdnest.com
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions
[2010/08/12 10:17:59 | 000,000,000 | ---D | M] (Screengrab) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/02 20:58:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}
[2010/07/14 20:19:29 | 000,000,000 | ---D | M] (Readability) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}(19)
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010/02/07 23:15:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{989e9382-d540-4189-88d1-fc54a949a387}
[2010/07/15 23:25:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/08/10 18:01:54 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/19 20:59:44 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(10606)
[2010/07/11 20:55:30 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(36)
[2009/09/17 21:57:06 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}(37)
[2009/12/02 20:57:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2009/12/15 21:33:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\bettergmail2@ginatrapani.org
[2009/08/24 11:57:09 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\chromifox@altmusictv(91).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\firebug@software.joehewitt.com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\grwatcher@ajnasz.hu
[2009/09/17 22:23:04 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\LogMeInClient@logmein(36).com
[2010/07/15 12:55:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk(35).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk.com
[2010/02/14 00:25:31 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\opera10skin@firefox.theme
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au
[2010/07/16 14:27:47 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au\chrome\mozapps\extensions
[2009/06/20 11:10:42 | 000,002,164 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\bing.xml
[2010/08/11 14:16:09 | 000,001,879 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\skreemr-audio-search.xml
[2009/06/20 11:11:43 | 000,001,980 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\wolframalpha.xml
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/06 12:05:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/03/17 17:44:32 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitR

Hi here are the logs you requested. MBAM detected a malware trace but the redirects still exist. The Extras.txt from OTL is attached as a file.

MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4428

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/14/2010 10:56:47 AM
mbam-log.txt

Scan type: Quick scan
Objects scanned: 145608
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-14 14:13:10
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\CHRIST~1\AppData\Local\Temp\kwddipod.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? 86FB3BF8
INT 0x62 ? 86FB3BF8
INT 0x72 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x92 ? 86FB3BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spew.sys The system cannot find the path specified. !
PAGE ataport.SYS!DllUnload 82D68B2E 5 Bytes JMP 8555C1D8
.text USBPORT.SYS!DllUnload 8F95241B 5 Bytes JMP 86FB31D8
PAGE spsys.sys!?SPVersion@@3PADA + 1ABF A045003F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 1 Byte [16]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 A0450130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 A0450137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0063000A
.text C:\Windows\system32\svchost.exe[1184] ole32.dll!CoCreateInstance 766B9EA6 5 Bytes JMP 0099000A
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!GetCursorPos 77980B88 5 Bytes JMP 013A000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0048000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0049000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0047000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 016B000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 016C000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0050000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85EE51F8
Device \FileSystem\udfs \UdfsCdRom 8769A1F8
Device \FileSystem\udfs \UdfsDisk 8769A1F8
Device \Driver\volmgr \Device\VolMgrControl 8555E1F8
Device \Driver\usbuhci \Device\USBPDO-0 86E871F8
Device \Driver\usbuhci \Device\USBPDO-1 86E871F8
Device \Driver\usbuhci \Device\USBPDO-2 86E871F8
Device \Driver\usbehci \Device\USBPDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBPDO-4 86E871F8
Device \Driver\usbuhci \Device\USBPDO-5 86E871F8
Device \Driver\usbuhci \Device\USBPDO-6 86E871F8
Device \Driver\volmgr \Device\HarddiskVolume1 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 86F2F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 871761F8
Device \Driver\netbt \Device\NetBt_Wins_Export 876A6500
Device \Driver\Smb \Device\NetbiosSmb 872EE1F8
Device \Driver\iScsiPrt \Device\RaidPort0 871831F8
Device \Driver\netbt \Device\NetBT_Tcpip_{28B3D8F2-F0FB-4318-9417-7F3739B50CB4} 876A6500
Device \Driver\usbuhci \Device\USBFDO-0 86E871F8
Device \Driver\usbuhci \Device\USBFDO-1 86E871F8
Device \Driver\usbuhci \Device\USBFDO-2 86E871F8
Device \Driver\usbehci \Device\USBFDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBFDO-4 86E871F8
Device \Driver\usbuhci \Device\USBFDO-5 86E871F8
Device \Driver\usbuhci \Device\USBFDO-6 86E871F8
Device \Driver\usbehci \Device\USBFDO-7 86F2F1F8
Device \Driver\VClone \Device\Scsi\VClone1Port5Path0Target0Lun0 871A81F8
Device \Driver\VClone \Device\Scsi\VClone1 871A81F8
Device \FileSystem\cdfs \Cdfs 881CD1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...

---- EOF - GMER 1.0.15 ----

OTL Log

OTL logfile created on: 8/14/2010 2:15:32 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Christian\Downloads
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 174.80 Gb Total Space | 123.28 Gb Free Space | 70.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRISTIAN
Current User Name: Christian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (aspnet_state) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetTcpActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetPipeActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetMsmqActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (nmservice) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AEADIFilters) -- C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Driver Services (SafeList) ==========

DRV - (SjyPkt) -- C:\Windows\System32\Drivers\SjyPkt.sys File not found
DRV - (pcmcia) -- C:\Windows\System32\drivers\pcmcia.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (ElbyCDIO) -- C:\Windows\System32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (atapi) -- C:\Windows\system32\drivers\kav_atapi.sys ()
DRV - (WsAudio_DeviceS(5)) WsAudio_DeviceS(5) -- C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys (Wondershare)
DRV - (WsAudio_DeviceS(4)) WsAudio_DeviceS(4) -- C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys (Wondershare)
DRV - (WsAudio_DeviceS(3)) WsAudio_DeviceS(3) -- C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys (Wondershare)
DRV - (WsAudio_DeviceS(2)) WsAudio_DeviceS(2) -- C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys (Wondershare)
DRV - (WsAudio_DeviceS(1)) WsAudio_DeviceS(1) -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys (Wondershare)
DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
DRV - (truecrypt) -- C:\Windows\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (VBoxNetAdp) -- C:\Windows\System32\drivers\VBoxNetAdp.sys (Sun Microsystems, Inc.)
DRV - (VBoxUSBMon) -- C:\Windows\System32\drivers\VBoxUSBMon.sys (Sun Microsystems, Inc.)
DRV - (VBoxDrv) -- C:\Windows\System32\drivers\VBoxDrv.sys (Sun Microsystems, Inc.)
DRV - (VBoxNetFlt) -- C:\Windows\System32\drivers\VBoxNetFlt.sys (Sun Microsystems, Inc.)
DRV - (VClone) -- C:\Windows\System32\drivers\VClone.sys (Elaborate Bytes AG)
DRV - (purendis) -- C:\Windows\System32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\Windows\System32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (tbhsd) -- C:\Windows\System32\drivers\tbhsd.sys (RapidSolution Software AG)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (RTL8187) -- C:\Windows\System32\drivers\RTL8187.sys (Realtek Semiconductor Corporation )
DRV - (tapvpn) -- C:\Windows\System32\drivers\tapvpn.sys (The OpenVPN Project)
DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
DRV - (ADIHdAudAddService) -- C:\Windows\System32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (RtlProt) -- C:\Windows\System32\drivers\RtlProt.sys (Windows ® Codename Longhorn DDK provider)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 64 BF F1 EB D8 C9 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.5.4
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: Strata40@SpewBoy.au:0.6.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/08/07 10:46:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/08/04 18:45:49 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions
[2010/08/04 18:45:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/01/17 22:01:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\songbird@songbirdnest.com
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions
[2010/08/12 10:17:59 | 000,000,000 | ---D | M] (Screengrab) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/02 20:58:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}
[2010/07/14 20:19:29 | 000,000,000 | ---D | M] (Readability) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}(19)
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010/02/07 23:15:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{989e9382-d540-4189-88d1-fc54a949a387}
[2010/07/15 23:25:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/08/10 18:01:54 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/19 20:59:44 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(10606)
[2010/07/11 20:55:30 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(36)
[2009/09/17 21:57:06 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}(37)
[2009/12/02 20:57:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2009/12/15 21:33:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\bettergmail2@ginatrapani.org
[2009/08/24 11:57:09 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\chromifox@altmusictv(91).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\firebug@software.joehewitt.com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\grwatcher@ajnasz.hu
[2009/09/17 22:23:04 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\LogMeInClient@logmein(36).com
[2010/07/15 12:55:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk(35).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk.com
[2010/02/14 00:25:31 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\opera10skin@firefox.theme
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au
[2010/07/16 14:27:47 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au\chrome\mozapps\extensions
[2009/06/20 11:10:42 | 000,002,164 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\bing.xml
[2010/08/11 14:16:09 | 000,001,879 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\skreemr-audio-search.xml
[2009/06/20 11:11:43 | 000,001,980 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\wolframalpha.xml
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/06 12:05:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/03/17 17:44:32 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitR

Hi here are the logs you requested. MBAM detected a malware trace but the redirects still exist. The Extras.txt from OTL is attached as a file.

MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4428

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/14/2010 10:56:47 AM
mbam-log.txt

Scan type: Quick scan
Objects scanned: 145608
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-14 14:13:10
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\CHRIST~1\AppData\Local\Temp\kwddipod.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? 86FB3BF8
INT 0x62 ? 86FB3BF8
INT 0x72 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x82 ? 86FB3BF8
INT 0x92 ? 86FB3BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spew.sys The system cannot find the path specified. !
PAGE ataport.SYS!DllUnload 82D68B2E 5 Bytes JMP 8555C1D8
.text USBPORT.SYS!DllUnload 8F95241B 5 Bytes JMP 86FB31D8
PAGE spsys.sys!?SPVersion@@3PADA + 1ABF A045003F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 1 Byte [16]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F A04500AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 A0450130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 A0450137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0063000A
.text C:\Windows\system32\svchost.exe[1184] ole32.dll!CoCreateInstance 766B9EA6 5 Bytes JMP 0099000A
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!GetCursorPos 77980B88 5 Bytes JMP 013A000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 0048000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 0049000A
.text C:\Windows\explorer.exe[1700] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0047000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtProtectVirtualMemory 77C44D34 5 Bytes JMP 016B000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!NtWriteVirtualMemory 77C45674 5 Bytes JMP 016C000A
.text C:\Windows\Explorer.EXE[1992] ntdll.dll!KiUserExceptionDispatcher 77C45DC8 5 Bytes JMP 0050000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85EE51F8
Device \FileSystem\udfs \UdfsCdRom 8769A1F8
Device \FileSystem\udfs \UdfsDisk 8769A1F8
Device \Driver\volmgr \Device\VolMgrControl 8555E1F8
Device \Driver\usbuhci \Device\USBPDO-0 86E871F8
Device \Driver\usbuhci \Device\USBPDO-1 86E871F8
Device \Driver\usbuhci \Device\USBPDO-2 86E871F8
Device \Driver\usbehci \Device\USBPDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBPDO-4 86E871F8
Device \Driver\usbuhci \Device\USBPDO-5 86E871F8
Device \Driver\usbuhci \Device\USBPDO-6 86E871F8
Device \Driver\volmgr \Device\HarddiskVolume1 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 86F2F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8555E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 871761F8
Device \Driver\netbt \Device\NetBt_Wins_Export 876A6500
Device \Driver\Smb \Device\NetbiosSmb 872EE1F8
Device \Driver\iScsiPrt \Device\RaidPort0 871831F8
Device \Driver\netbt \Device\NetBT_Tcpip_{28B3D8F2-F0FB-4318-9417-7F3739B50CB4} 876A6500
Device \Driver\usbuhci \Device\USBFDO-0 86E871F8
Device \Driver\usbuhci \Device\USBFDO-1 86E871F8
Device \Driver\usbuhci \Device\USBFDO-2 86E871F8
Device \Driver\usbehci \Device\USBFDO-3 86F2F1F8
Device \Driver\usbuhci \Device\USBFDO-4 86E871F8
Device \Driver\usbuhci \Device\USBFDO-5 86E871F8
Device \Driver\usbuhci \Device\USBFDO-6 86E871F8
Device \Driver\usbehci \Device\USBFDO-7 86F2F1F8
Device \Driver\VClone \Device\Scsi\VClone1Port5Path0Target0Lun0 871A81F8
Device \Driver\VClone \Device\Scsi\VClone1 871A81F8
Device \FileSystem\cdfs \Cdfs 881CD1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x07 0xF8 0x54 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0x76 0x44 0x6C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x68 0x64 0x1B 0x19 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x51 0x0E 0x28 0x6F ...

---- EOF - GMER 1.0.15 ----

OTL Log

OTL logfile created on: 8/14/2010 2:15:32 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Christian\Downloads
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 174.80 Gb Total Space | 123.28 Gb Free Space | 70.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRISTIAN
Current User Name: Christian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Christian\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (aspnet_state) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetTcpActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetPipeActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (NetMsmqActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (nmservice) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AEADIFilters) -- C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)


========== Driver Services (SafeList) ==========

DRV - (SjyPkt) -- C:\Windows\System32\Drivers\SjyPkt.sys File not found
DRV - (pcmcia) -- C:\Windows\System32\drivers\pcmcia.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (ElbyCDIO) -- C:\Windows\System32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (atapi) -- C:\Windows\system32\drivers\kav_atapi.sys ()
DRV - (WsAudio_DeviceS(5)) WsAudio_DeviceS(5) -- C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys (Wondershare)
DRV - (WsAudio_DeviceS(4)) WsAudio_DeviceS(4) -- C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys (Wondershare)
DRV - (WsAudio_DeviceS(3)) WsAudio_DeviceS(3) -- C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys (Wondershare)
DRV - (WsAudio_DeviceS(2)) WsAudio_DeviceS(2) -- C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys (Wondershare)
DRV - (WsAudio_DeviceS(1)) WsAudio_DeviceS(1) -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys (Wondershare)
DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
DRV - (truecrypt) -- C:\Windows\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (VBoxNetAdp) -- C:\Windows\System32\drivers\VBoxNetAdp.sys (Sun Microsystems, Inc.)
DRV - (VBoxUSBMon) -- C:\Windows\System32\drivers\VBoxUSBMon.sys (Sun Microsystems, Inc.)
DRV - (VBoxDrv) -- C:\Windows\System32\drivers\VBoxDrv.sys (Sun Microsystems, Inc.)
DRV - (VBoxNetFlt) -- C:\Windows\System32\drivers\VBoxNetFlt.sys (Sun Microsystems, Inc.)
DRV - (VClone) -- C:\Windows\System32\drivers\VClone.sys (Elaborate Bytes AG)
DRV - (purendis) -- C:\Windows\System32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\Windows\System32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (tbhsd) -- C:\Windows\System32\drivers\tbhsd.sys (RapidSolution Software AG)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (RTL8187) -- C:\Windows\System32\drivers\RTL8187.sys (Realtek Semiconductor Corporation )
DRV - (tapvpn) -- C:\Windows\System32\drivers\tapvpn.sys (The OpenVPN Project)
DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
DRV - (ADIHdAudAddService) -- C:\Windows\System32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (RtlProt) -- C:\Windows\System32\drivers\RtlProt.sys (Windows ® Codename Longhorn DDK provider)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 64 BF F1 EB D8 C9 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.5.4
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: Strata40@SpewBoy.au:0.6.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/09 19:59:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/08/07 10:46:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/08/04 18:45:49 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions
[2010/08/04 18:45:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/01/17 22:01:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Extensions\songbird@songbirdnest.com
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions
[2010/08/12 10:17:59 | 000,000,000 | ---D | M] (Screengrab) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/02 20:58:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}
[2010/07/14 20:19:29 | 000,000,000 | ---D | M] (Readability) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}(19)
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010/02/07 23:15:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{989e9382-d540-4189-88d1-fc54a949a387}
[2010/07/15 23:25:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/08/10 18:01:54 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/19 20:59:44 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(10606)
[2010/07/11 20:55:30 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(36)
[2009/09/17 21:57:06 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}(37)
[2009/12/02 20:57:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2009/12/15 21:33:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\bettergmail2@ginatrapani.org
[2009/08/24 11:57:09 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\chromifox@altmusictv(91).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\firebug@software.joehewitt.com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\grwatcher@ajnasz.hu
[2009/09/17 22:23:04 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\LogMeInClient@logmein(36).com
[2010/07/15 12:55:32 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk(35).com
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\omnibar@ajitk.com
[2010/02/14 00:25:31 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\opera10skin@firefox.theme
[2010/08/07 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au
[2010/07/16 14:27:47 | 000,000,000 | ---D | M] -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\Strata40@SpewBoy.au\chrome\mozapps\extensions
[2009/06/20 11:10:42 | 000,002,164 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\bing.xml
[2010/08/11 14:16:09 | 000,001,879 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\skreemr-audio-search.xml
[2009/06/20 11:11:43 | 000,001,980 | ---- | M] () -- C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\searchplugins\wolframalpha.xml
[2010/08/14 10:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/06 12:05:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/03/17 17:44:32 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS F

Attached Files



#4 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:41 PM

Posted 15 August 2010 - 12:35 AM

Hi there,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#5 Fennec

Fennec
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 15 August 2010 - 11:40 AM

Hi here's the log you requested. Browser redirects are still happening.

ComboFix 10-08-14.06 - Christian 08/15/2010 10:11:06.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2386 [GMT -6:00]
Running from: c:\users\Christian\Downloads\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Aacddcdd.ini
c:\windows\System32\Aacddcdd.ini2
c:\windows\system32\Install.txt
c:\windows\system32\nsdgaonb.ini
c:\windows\Tasks\frrybnkh.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC


((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 16:23 . 2010-08-15 16:26 -------- d-----w- c:\users\Christian\AppData\Local\temp
2010-08-15 16:23 . 2010-08-15 16:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-15 16:23 . 2010-08-15 16:23 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-08-15 16:23 . 2010-08-15 16:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-07 16:38 . 2010-08-07 16:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-07 16:37 . 2010-08-07 16:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-07 11:19 . 2010-08-07 11:22 -------- d-----w- c:\users\Christian\AppData\Roaming\SafeReturner
2010-08-07 11:19 . 2010-08-07 11:19 -------- d-----w- c:\program files\Safe Returner
2010-08-07 10:49 . 2010-08-07 10:49 -------- d-----w- c:\program files\Sophos
2010-08-07 06:00 . 2010-08-07 10:34 -------- d-----w- c:\users\Christian\DoctorWeb
2010-08-07 05:24 . 2010-08-07 05:25 -------- d-----w- c:\program files\UnHackMe
2010-08-07 05:12 . 2010-08-07 11:22 -------- d-----w- c:\users\Christian\AppData\Local\temp(10260)
2010-08-06 20:25 . 2010-08-06 20:25 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-06 18:05 . 2010-08-06 18:05 -------- d-----w- c:\program files\Common Files\Java
2010-08-06 04:23 . 2010-08-06 20:38 -------- d-----w- c:\users\Christian\AppData\Roaming\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\programdata\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\program files\Common Files\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\program files\Nitro PDF
2010-08-06 04:04 . 2010-08-05 23:00 -------- d-----w- c:\programdata\Hitman Pro
2010-08-06 03:24 . 2010-08-06 03:24 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-08-06 03:24 . 2010-08-06 03:24 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2010-08-06 02:08 . 2010-08-06 21:14 -------- d-----w- c:\windows\system32\catroot2(12913)
2010-08-05 23:18 . 2010-08-05 23:18 -------- d-----w- c:\program files\Tizer™ Rootkit Razor
2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\AVG
2010-08-05 02:48 . 2010-08-05 02:48 -------- d-----w- c:\program files\Softwin
2010-08-05 01:55 . 2010-08-05 01:56 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-08-05 00:45 . 2010-08-07 16:46 -------- d-----w- c:\users\Christian\AppData\Roaming\Thunderbird
2010-08-05 00:45 . 2010-08-07 16:45 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-04 01:24 . 2010-08-05 01:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-04 01:24 . 2010-08-04 01:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-04 00:36 . 2010-08-04 00:41 -------- d-----w- c:\programdata\RegCure
2010-08-04 00:36 . 2010-08-04 00:41 -------- d-----w- c:\program files\RegCure
2010-07-29 23:03 . 2010-07-29 23:03 -------- d-----w- c:\program files\RocketDock
2010-07-29 22:57 . 2010-07-29 22:57 -------- d-----w- c:\users\Christian\AppData\Roaming\Doomi.809F847005C7832B69625A614BB25CA209244440.1
2010-07-29 19:08 . 2010-07-29 19:08 -------- d-----w- c:\programdata\Alwil Software
2010-07-29 18:40 . 2010-07-29 18:40 -------- d-----w- c:\program files\Freecorder
2010-07-29 18:25 . 2010-08-04 00:48 -------- d-----w- c:\users\Christian\AppData\Local\FLVService
2010-07-29 18:12 . 2010-07-29 18:12 -------- d-----w- c:\program files\iPod(4662)
2010-07-28 23:14 . 2010-07-28 23:14 -------- d-----w- c:\users\Christian\AppData\Roaming\JGsoft
2010-07-20 03:05 . 2010-07-20 03:05 0 ----a-w- c:\users\Christian\AppData\Local\Azuraxakuq.bin
2010-07-20 03:05 . 2010-07-20 03:05 120 ----a-w- c:\users\Christian\AppData\Local\Gxavez.dat
2010-07-19 20:53 . 2010-08-14 00:05 256 ----a-w- c:\windows\system32\pool.bin
2010-07-19 20:53 . 2010-07-19 20:53 -------- d-----w- c:\users\Christian\AppData\Roaming\Research In Motion
2010-07-19 20:51 . 2009-01-09 22:18 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-07-19 20:50 . 2010-07-19 20:50 -------- d-----w- c:\programdata\Research In Motion
2010-07-19 20:50 . 2010-07-19 20:57 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-07-19 20:50 . 2010-07-19 20:50 -------- d-----w- c:\program files\Research In Motion
2010-07-19 05:03 . 2010-08-06 20:36 -------- d-----w- c:\users\Christian\AppData\Local\CutePDF Writer
2010-07-17 03:09 . 2010-07-17 03:09 -------- d-----w- c:\users\Christian\AppData\Local\Macroplant
2010-07-16 19:26 . 2010-08-07 18:28 -------- d-----w- c:\users\Christian\AppData\Roaming\Rainmeter
2010-07-16 19:26 . 2010-08-07 18:27 -------- d-----w- c:\program files\Rainmeter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 16:26 . 2009-08-30 20:38 37301 ----a-w- c:\programdata\nvModes.dat
2010-08-15 16:26 . 2009-01-18 02:49 -------- d-----w- c:\programdata\NVIDIA
2010-08-15 16:04 . 2009-09-26 02:11 -------- d-----w- c:\program files\Everything
2010-08-14 16:48 . 2009-08-25 01:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 00:27 . 2009-01-19 19:28 -------- d-----w- c:\users\Christian\AppData\Roaming\FileZilla
2010-08-12 05:13 . 2009-06-14 05:22 -------- d-----w- c:\users\Christian\AppData\Roaming\.purple
2010-08-12 04:10 . 2010-08-12 04:10 2157 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-08-12 04:10 . 2010-08-12 04:10 1779 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\api.oscar.aol.com
2010-08-12 04:10 . 2010-08-12 04:10 2095 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
2010-08-12 04:10 . 2010-08-12 04:10 1691 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-08-10 23:50 . 2010-06-21 02:00 -------- d-----w- c:\program files\iPod
2010-08-07 18:27 . 2010-02-21 00:59 -------- d-----w- c:\program files\Synthesia
2010-08-07 18:25 . 2009-02-07 00:21 -------- d-----w- c:\program files\Common Files\Apple
2010-08-07 18:15 . 2010-06-21 02:07 -------- d-----w- c:\program files\DigiDNA
2010-08-07 06:35 . 2009-01-18 02:20 1356 ----a-w- c:\users\Christian\AppData\Local\d3d9caps.dat
2010-08-06 21:11 . 2009-12-12 03:48 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-06 18:04 . 2009-03-29 03:17 -------- d-----w- c:\program files\Java
2010-08-06 18:01 . 2009-06-22 04:15 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-06 17:44 . 2009-06-08 03:54 -------- d-----w- c:\program files\Foxit Software
2010-08-05 03:13 . 2009-08-25 01:02 -------- d-----w- c:\programdata\avg8
2010-07-29 22:56 . 2010-03-05 23:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-19 20:50 . 2010-07-19 20:50 69632 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-07-19 20:50 . 2010-07-19 20:50 69632 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\DesktopMgr.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-16 18:31 . 2009-01-18 17:49 -------- d-----w- c:\users\Christian\AppData\Roaming\Dropbox
2010-07-16 05:17 . 2010-06-04 01:15 -------- d-----w- c:\programdata\{C3243856-7746-4A05-8837-51A28C1CDD82}
2010-07-16 03:53 . 2010-06-04 00:28 -------- d-----w- c:\program files\Intel
2010-07-13 17:13 . 2010-07-13 17:13 -------- d-----w- c:\program files\FreeMind
2010-07-06 20:50 . 2010-07-06 20:50 -------- d-----w- c:\users\Christian\AppData\Roaming\Stardock
2010-07-06 20:50 . 2010-07-06 20:50 -------- d-----w- c:\program files\Stardock
2010-06-30 16:47 . 2010-06-30 16:47 -------- d-----w- c:\programdata\FirstClass
2010-06-30 16:47 . 2009-01-18 02:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-30 02:21 . 2010-06-30 02:21 -------- d-----w- c:\users\Christian\AppData\Roaming\Vivox
2010-06-25 17:26 . 2009-08-30 20:35 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-25 17:26 . 2009-04-10 02:19 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-25 17:25 . 2010-06-25 17:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-22 19:49 . 2010-07-16 06:34 3349784 -c--a-w- c:\programdata\{A3A26C56-02C3-4F76-A033-12EE2FB52AE6}\Fences.exe
2010-06-21 02:21 . 2010-06-21 02:07 -------- d-----w- c:\users\Christian\AppData\Roaming\DiskAid
2010-06-21 01:50 . 2010-06-21 01:50 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-20 21:55 . 2010-06-20 21:55 -------- d-----w- c:\program files\MSXML 4.0
2010-06-20 10:21 . 2010-08-07 16:49 214016 ----a-w- c:\users\Christian\AppData\Roaming\Thunderbird\Profiles\dw2iqabu.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2010-06-19 21:54 . 2010-06-18 22:11 -------- d-----w- c:\program files\Inkscape
2010-06-19 20:52 . 2009-01-18 02:21 139088 ----a-w- c:\users\Christian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-18 22:26 . 2009-01-18 05:27 -------- d-----w- c:\users\Christian\AppData\Roaming\Inkscape
2010-06-18 21:42 . 2009-01-27 18:17 -------- d-----w- c:\users\Christian\AppData\Roaming\Corel
2010-06-18 21:41 . 2009-01-27 18:15 -------- d-----w- c:\programdata\Corel
2010-06-16 18:30 . 2009-09-26 02:37 -------- d-----w- c:\program files\Launchy
2010-06-15 18:30 . 2009-01-27 18:17 2568 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-15 18:30 . 2009-01-27 18:17 2568 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-12 21:21 . 2010-06-12 21:21 21 ----a-w- c:\users\Christian\DoddleWebPhone.dat
2010-06-07 23:48 . 2010-06-07 23:48 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 23:48 . 2010-06-07 23:48 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 23:48 . 2010-06-07 23:48 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 23:48 . 2010-06-07 23:48 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-28 18:58 . 2009-08-25 02:04 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-05-28 00:45 . 2010-05-28 00:45 892168 ----a-w- c:\programdata\Soluto\Installer\SolutoInstaller.exe
2010-05-26 17:06 . 2010-06-20 21:52 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-20 21:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-22 23:42 . 2010-05-22 23:42 552 ----a-w- c:\users\Christian\AppData\Local\d3d8caps.dat
2010-05-21 20:14 . 2009-10-18 02:46 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 22:35 . 2010-05-18 22:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 22:35 . 2010-05-18 22:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-10 21:51 . 2010-04-10 21:51 21508 ------w- c:\program files\.DS_Store
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

------- Sigcheck -------

[-] 2009-12-12 03:57 . D4F9F8B48A71E66EC21804B87BAFC462 . 19944 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-22 . A779CA2C76DA4FCB595E692C05E8E4EB . 19048 . . [6.0.6000.16391] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

[-] 2009-06-22 . 690D53BD10A804BB6D0A772D1C0E6907 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Thunderbird"="c:\program files\Mozilla Thunderbird\thunderbird -turbo" [X]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-07 886784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2009-9-25 245248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^map.bat]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\map.bat
backup=c:\windows\pss\map.bat.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^map.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\map.lnk
backup=c:\windows\pss\map.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Update Notifier.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Notifier.lnk
backup=c:\windows\pss\Update Notifier.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-06-22 16:58 133104 ----atw- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 22:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 21:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-07 23:48 110696 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 03:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-08-28 13:23 1282048 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundTray]
2007-08-03 00:45 53248 ----a-w- c:\program files\Analog Devices\SoundMAX\SoundTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 11:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44 85160 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 06:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 06:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:cd,78,4d,ed,64,de,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2391873036-318260933-4054704861-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-10-07 94992]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-12-04 25704]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-02-13 691696]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-02 15360]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2009-10-07 115856]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2009-10-07 41424]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2009-10-07 103568]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 23:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391873036-318260933-4054704861-1000Core.job
- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-22 16:58]

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391873036-318260933-4054704861-1000UA.job
- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-22 16:58]

2010-06-06 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2009-05-10 16:30]

2010-01-14 c:\windows\Tasks\User_Feed_Synchronization-{2740724F-C9FE-432A-9868-EEF250A866A3}.job
- c:\windows\system32\msfeedssync.exe [2010-06-20 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\
FF - component: c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\users\Christian\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-IAAnotif - c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe
MSConfigStartUp-jsf8uiw3jnjgffght - c:\users\Christian\AppData\Local\Temp\winlogin.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-RocketDock - c:\program files\RocketDock\RocketDock.exe
AddRemove-{BE686891-3C56-4714-AFEF-341A7867BA80} - c:\program files\InstallShield Installation Information\{BE686891-3C56-4714-AFEF-341A7867BA80}\Install.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 10:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86EC7B4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b7c7d24
\Driver\ACPI -> acpi.sys @ 0x82a92d68
\Driver\atapi -> ataport.SYS @ 0x82ceba2c
\Driver\iaStor -> iaStor.sys @ 0x82c43464
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3244)
c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Mozilla Thunderbird\thunderbird.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-08-15 10:35:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-15 16:35

Pre-Run: 130,849,300,480 bytes free
Post-Run: 130,709,622,784 bytes free

- - End Of File - - FAC8EEB7B854A451B2A4C5970A478CC9


#6 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:41 PM

Posted 16 August 2010 - 01:40 AM

Hi there,

Close any open browsers, and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the codebox below into it:

CODE
Files::
c:\users\Christian\AppData\Local\Azuraxakuq.bin
c:\users\Christian\AppData\Local\Gxavez.dat
  • Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#7 Fennec

Fennec
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 16 August 2010 - 12:29 PM

Hi here's the new log. Browser redirects are still happening and I can't check for windows updates.

ComboFix 10-08-15.04 - Christian 08/16/2010 11:04:50.3.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2388 [GMT -6:00]
Running from: c:\users\Christian\Downloads\Combo-Fix.exe
Command switches used :: c:\users\Christian\Downloads\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 17:17 . 2010-08-16 17:18 -------- d-----w- c:\users\Christian\AppData\Local\temp
2010-08-16 17:17 . 2010-08-16 17:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-16 17:17 . 2010-08-16 17:17 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-08-16 17:17 . 2010-08-16 17:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-12 04:10 . 2010-08-12 04:10 2157 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-08-12 04:10 . 2010-08-12 04:10 1779 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\api.oscar.aol.com
2010-08-12 04:10 . 2010-08-12 04:10 2095 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
2010-08-12 04:10 . 2010-08-12 04:10 1691 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-08-07 16:58 . 2009-12-09 23:31 20992 ----a-w- c:\users\Christian\AppData\Roaming\Thunderbird\Profiles\dw2iqabu.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\WINNT-32\MinimizeToTrayPlus.dll
2010-08-07 16:49 . 2010-06-20 10:21 214016 ----a-w- c:\users\Christian\AppData\Roaming\Thunderbird\Profiles\dw2iqabu.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2010-08-07 16:38 . 2010-08-07 16:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-07 16:37 . 2010-08-07 16:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-07 11:19 . 2010-08-07 11:22 -------- d-----w- c:\users\Christian\AppData\Roaming\SafeReturner
2010-08-07 11:19 . 2010-08-07 11:19 -------- d-----w- c:\program files\Safe Returner
2010-08-07 10:49 . 2010-08-07 10:49 -------- d-----w- c:\program files\Sophos
2010-08-07 06:00 . 2010-08-07 10:34 -------- d-----w- c:\users\Christian\DoctorWeb
2010-08-07 05:24 . 2010-08-07 05:25 -------- d-----w- c:\program files\UnHackMe
2010-08-07 05:12 . 2010-08-07 11:22 -------- d-----w- c:\users\Christian\AppData\Local\temp(10260)
2010-08-06 20:25 . 2010-08-06 20:25 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-06 18:05 . 2010-08-06 18:05 -------- d-----w- c:\program files\Common Files\Java
2010-08-06 04:23 . 2010-08-06 20:38 -------- d-----w- c:\users\Christian\AppData\Roaming\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\programdata\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\program files\Common Files\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\program files\Nitro PDF
2010-08-06 04:04 . 2010-08-05 23:00 -------- d-----w- c:\programdata\Hitman Pro
2010-08-06 03:24 . 2010-08-06 03:24 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-08-06 03:24 . 2010-08-06 03:24 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2010-08-06 02:08 . 2010-08-06 21:14 -------- d-----w- c:\windows\system32\catroot2(12913)
2010-08-05 23:18 . 2010-08-05 23:18 -------- d-----w- c:\program files\Tizer™ Rootkit Razor
2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\AVG
2010-08-05 02:48 . 2010-08-05 02:48 -------- d-----w- c:\program files\Softwin
2010-08-05 01:55 . 2010-08-05 01:56 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-08-05 00:45 . 2010-08-07 16:46 -------- d-----w- c:\users\Christian\AppData\Roaming\Thunderbird
2010-08-05 00:45 . 2010-08-07 16:45 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-04 01:24 . 2010-08-05 01:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-04 01:24 . 2010-08-04 01:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-04 00:36 . 2010-08-04 00:41 -------- d-----w- c:\programdata\RegCure
2010-08-04 00:36 . 2010-08-04 00:41 -------- d-----w- c:\program files\RegCure
2010-07-29 23:03 . 2010-07-29 23:03 -------- d-----w- c:\program files\RocketDock
2010-07-29 22:57 . 2010-07-29 22:57 -------- d-----w- c:\users\Christian\AppData\Roaming\Doomi.809F847005C7832B69625A614BB25CA209244440.1
2010-07-29 19:08 . 2010-07-29 19:08 -------- d-----w- c:\programdata\Alwil Software
2010-07-29 18:40 . 2010-07-29 18:40 -------- d-----w- c:\program files\Freecorder
2010-07-29 18:25 . 2010-08-04 00:48 -------- d-----w- c:\users\Christian\AppData\Local\FLVService
2010-07-29 18:12 . 2010-07-29 18:12 -------- d-----w- c:\program files\iPod(4662)
2010-07-28 23:14 . 2010-07-28 23:14 -------- d-----w- c:\users\Christian\AppData\Roaming\JGsoft
2010-07-20 03:05 . 2010-07-20 03:05 0 ----a-w- c:\users\Christian\AppData\Local\Azuraxakuq.bin
2010-07-20 03:05 . 2010-07-20 03:05 120 ----a-w- c:\users\Christian\AppData\Local\Gxavez.dat
2010-07-19 20:53 . 2010-08-14 00:05 256 ----a-w- c:\windows\system32\pool.bin
2010-07-19 20:53 . 2010-07-19 20:53 -------- d-----w- c:\users\Christian\AppData\Roaming\Research In Motion
2010-07-19 20:51 . 2009-01-09 22:18 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-07-19 20:50 . 2010-07-19 20:50 69632 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-07-19 20:50 . 2010-07-19 20:50 69632 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\DesktopMgr.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 -------- d-----w- c:\programdata\Research In Motion
2010-07-19 20:50 . 2010-07-19 20:57 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-07-19 20:50 . 2010-07-19 20:50 -------- d-----w- c:\program files\Research In Motion
2010-07-19 05:03 . 2010-08-06 20:36 -------- d-----w- c:\users\Christian\AppData\Local\CutePDF Writer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 17:03 . 2009-01-18 02:49 -------- d-----w- c:\programdata\NVIDIA
2010-08-16 16:53 . 2009-08-30 20:38 37301 ----a-w- c:\programdata\nvModes.dat
2010-08-15 18:09 . 2009-01-19 19:28 -------- d-----w- c:\users\Christian\AppData\Roaming\FileZilla
2010-08-15 16:04 . 2009-09-26 02:11 -------- d-----w- c:\program files\Everything
2010-08-14 16:48 . 2009-08-25 01:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-12 05:13 . 2009-06-14 05:22 -------- d-----w- c:\users\Christian\AppData\Roaming\.purple
2010-08-10 23:50 . 2010-06-21 02:00 -------- d-----w- c:\program files\iPod
2010-08-07 18:27 . 2010-02-21 00:59 -------- d-----w- c:\program files\Synthesia
2010-08-07 18:25 . 2009-02-07 00:21 -------- d-----w- c:\program files\Common Files\Apple
2010-08-07 18:15 . 2010-06-21 02:07 -------- d-----w- c:\program files\DigiDNA
2010-08-07 06:35 . 2009-01-18 02:20 1356 ----a-w- c:\users\Christian\AppData\Local\d3d9caps.dat
2010-08-06 21:11 . 2009-12-12 03:48 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-06 18:04 . 2009-03-29 03:17 -------- d-----w- c:\program files\Java
2010-08-06 18:01 . 2009-06-22 04:15 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-06 17:44 . 2009-06-08 03:54 -------- d-----w- c:\program files\Foxit Software
2010-08-05 03:13 . 2009-08-25 01:02 -------- d-----w- c:\programdata\avg8
2010-07-29 22:56 . 2010-03-05 23:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-16 18:31 . 2009-01-18 17:49 -------- d-----w- c:\users\Christian\AppData\Roaming\Dropbox
2010-07-16 05:17 . 2010-06-04 01:15 -------- d-----w- c:\programdata\{C3243856-7746-4A05-8837-51A28C1CDD82}
2010-07-16 03:53 . 2010-06-04 00:28 -------- d-----w- c:\program files\Intel
2010-07-13 17:13 . 2010-07-13 17:13 -------- d-----w- c:\program files\FreeMind
2010-07-06 20:50 . 2010-07-06 20:50 -------- d-----w- c:\users\Christian\AppData\Roaming\Stardock
2010-07-06 20:50 . 2010-07-06 20:50 -------- d-----w- c:\program files\Stardock
2010-06-30 16:47 . 2010-06-30 16:47 -------- d-----w- c:\programdata\FirstClass
2010-06-30 16:47 . 2009-01-18 02:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-30 02:21 . 2010-06-30 02:21 -------- d-----w- c:\users\Christian\AppData\Roaming\Vivox
2010-06-25 17:26 . 2009-08-30 20:35 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-25 17:26 . 2009-04-10 02:19 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-25 17:25 . 2010-06-25 17:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-22 19:49 . 2010-07-16 06:34 3349784 -c--a-w- c:\programdata\{A3A26C56-02C3-4F76-A033-12EE2FB52AE6}\Fences.exe
2010-06-21 02:21 . 2010-06-21 02:07 -------- d-----w- c:\users\Christian\AppData\Roaming\DiskAid
2010-06-21 01:50 . 2010-06-21 01:50 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-20 21:55 . 2010-06-20 21:55 -------- d-----w- c:\program files\MSXML 4.0
2010-06-19 21:54 . 2010-06-18 22:11 -------- d-----w- c:\program files\Inkscape
2010-06-19 20:52 . 2009-01-18 02:21 139088 ----a-w- c:\users\Christian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-18 22:26 . 2009-01-18 05:27 -------- d-----w- c:\users\Christian\AppData\Roaming\Inkscape
2010-06-18 21:42 . 2009-01-27 18:17 -------- d-----w- c:\users\Christian\AppData\Roaming\Corel
2010-06-18 21:41 . 2009-01-27 18:15 -------- d-----w- c:\programdata\Corel
2010-06-15 18:30 . 2009-01-27 18:17 2568 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-15 18:30 . 2009-01-27 18:17 2568 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-12 21:21 . 2010-06-12 21:21 21 ----a-w- c:\users\Christian\DoddleWebPhone.dat
2010-06-07 23:48 . 2010-06-07 23:48 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 23:48 . 2010-06-07 23:48 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 23:48 . 2010-06-07 23:48 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 23:48 . 2010-06-07 23:48 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-28 18:58 . 2009-08-25 02:04 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-05-28 00:45 . 2010-05-28 00:45 892168 ----a-w- c:\programdata\Soluto\Installer\SolutoInstaller.exe
2010-05-26 17:06 . 2010-06-20 21:52 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-20 21:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-22 23:42 . 2010-05-22 23:42 552 ----a-w- c:\users\Christian\AppData\Local\d3d8caps.dat
2010-05-21 20:14 . 2009-10-18 02:46 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 22:35 . 2010-05-18 22:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 22:35 . 2010-05-18 22:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-10 21:51 . 2010-04-10 21:51 21508 ------w- c:\program files\.DS_Store
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

------- Sigcheck -------

[-] 2009-12-12 03:57 . D4F9F8B48A71E66EC21804B87BAFC462 . 19944 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-22 . A779CA2C76DA4FCB595E692C05E8E4EB . 19048 . . [6.0.6000.16391] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

[-] 2009-06-22 . 690D53BD10A804BB6D0A772D1C0E6907 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Thunderbird"="c:\program files\Mozilla Thunderbird\thunderbird -turbo" [X]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-07 886784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2009-9-25 245248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^map.bat]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\map.bat
backup=c:\windows\pss\map.bat.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^map.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\map.lnk
backup=c:\windows\pss\map.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Update Notifier.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Notifier.lnk
backup=c:\windows\pss\Update Notifier.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-06-22 16:58 133104 ----atw- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 22:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 21:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-07 23:48 110696 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 03:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-08-28 13:23 1282048 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundTray]
2007-08-03 00:45 53248 ----a-w- c:\program files\Analog Devices\SoundMAX\SoundTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 11:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44 85160 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 06:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 06:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:cd,78,4d,ed,64,de,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2391873036-318260933-4054704861-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-10-07 94992]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-12-04 25704]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-02-13 691696]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-02 15360]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2009-10-07 115856]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2009-10-07 41424]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2009-10-07 103568]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 23:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391873036-318260933-4054704861-1000Core.job
- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-22 16:58]

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391873036-318260933-4054704861-1000UA.job
- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-22 16:58]

2010-06-06 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2009-05-10 16:30]

2010-01-14 c:\windows\Tasks\User_Feed_Synchronization-{2740724F-C9FE-432A-9868-EEF250A866A3}.job
- c:\windows\system32\msfeedssync.exe [2010-06-20 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\
FF - component: c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\users\Christian\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 11:18
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86E9DB4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b7cbd24
\Driver\ACPI -> acpi.sys @ 0x82a96d68
\Driver\atapi -> ataport.SYS @ 0x82ceaa2c
\Driver\iaStor -> iaStor.sys @ 0x82c42464
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-16 11:24:54
ComboFix-quarantined-files.txt 2010-08-16 17:24
ComboFix2.txt 2010-08-15 16:35

Pre-Run: 130,609,324,032 bytes free
Post-Run: 130,579,697,664 bytes free

- - End Of File - - 139B95DA637F006E297168595F726725


#8 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:41 PM

Posted 16 August 2010 - 03:39 PM

Hi there,

Close any open browsers, and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the codebox below into it:

CODE
FCopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | c:\windows\System32\drivers\atapi.sys
  • Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#9 Fennec

Fennec
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 16 August 2010 - 05:39 PM

Hi I used the script you requested but combofix crashes at stage 5 in the process and force reboots the machine.

#10 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:41 PM

Posted 16 August 2010 - 06:08 PM

Hi there,

STEP 1 - Batch File

Please open notepad by going Start -> Run and type notepad.exe followed by enter. Copy and paste the following into the blank document:
CODE
@echo off
cp c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys c:\atapi.sys
exit
  • Save to your desktop as: fix.bat
  • Save as file type: All Files
You can open the file by double clicking fix.bat on your desktop. The file should only open briefly.

STEP 2 - Avenger

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE
Begin copying here:
Files to move:
C:\atapi.sys | C:\Windows\system32\drivers\atapi.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

STEP 3 - Reply

Please reply with the following logs:
  • Avenger Log

Edited by mpascal, 16 August 2010 - 06:08 PM.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#11 Fennec

Fennec
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 17 August 2010 - 04:53 PM

Thanks for this. Here's the log. Redirects are still happening and I still can't check for windows updates.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\Windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


#12 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:41 PM

Posted 17 August 2010 - 08:09 PM

Can you run ComboFix again please.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#13 Fennec

Fennec
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 17 August 2010 - 10:08 PM

Hi again. Here's the new combofix log

ComboFix 10-08-17.02 - Christian 08/17/2010 20:40:53.6.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2372 [GMT -6:00]
Running from: c:\users\Christian\Downloads\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\users\Christian\AppData\Local\temp
2010-08-16 22:12 . 2010-08-16 22:20 -------- d-----w- C:\Combo-Fix
2010-08-12 04:10 . 2010-08-12 04:10 2157 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-08-12 04:10 . 2010-08-12 04:10 1779 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\api.oscar.aol.com
2010-08-12 04:10 . 2010-08-12 04:10 2095 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
2010-08-12 04:10 . 2010-08-12 04:10 1691 ----a-w- c:\users\Christian\AppData\Roaming\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-08-07 16:58 . 2009-12-09 23:31 20992 ----a-w- c:\users\Christian\AppData\Roaming\Thunderbird\Profiles\dw2iqabu.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\WINNT-32\MinimizeToTrayPlus.dll
2010-08-07 16:49 . 2010-06-20 10:21 214016 ----a-w- c:\users\Christian\AppData\Roaming\Thunderbird\Profiles\dw2iqabu.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2010-08-07 16:38 . 2010-08-07 16:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-07 16:37 . 2010-08-07 16:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-07 11:19 . 2010-08-07 11:22 -------- d-----w- c:\users\Christian\AppData\Roaming\SafeReturner
2010-08-07 11:19 . 2010-08-07 11:19 -------- d-----w- c:\program files\Safe Returner
2010-08-07 10:49 . 2010-08-07 10:49 -------- d-----w- c:\program files\Sophos
2010-08-07 06:00 . 2010-08-07 10:34 -------- d-----w- c:\users\Christian\DoctorWeb
2010-08-07 05:24 . 2010-08-07 05:25 -------- d-----w- c:\program files\UnHackMe
2010-08-07 05:12 . 2010-08-07 11:22 -------- d-----w- c:\users\Christian\AppData\Local\temp(10260)
2010-08-06 20:25 . 2010-08-06 20:25 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-06 18:05 . 2010-08-06 18:05 -------- d-----w- c:\program files\Common Files\Java
2010-08-06 04:23 . 2010-08-06 20:38 -------- d-----w- c:\users\Christian\AppData\Roaming\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\programdata\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\program files\Common Files\Nitro PDF
2010-08-06 04:22 . 2010-08-06 04:22 -------- d-----w- c:\program files\Nitro PDF
2010-08-06 04:04 . 2010-08-05 23:00 -------- d-----w- c:\programdata\Hitman Pro
2010-08-06 03:24 . 2010-08-06 03:24 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-08-06 03:24 . 2010-08-06 03:24 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2010-08-06 02:08 . 2010-08-06 21:14 -------- d-----w- c:\windows\system32\catroot2(12913)
2010-08-05 23:18 . 2010-08-05 23:18 -------- d-----w- c:\program files\Tizer™ Rootkit Razor
2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\AVG
2010-08-05 02:48 . 2010-08-05 02:48 -------- d-----w- c:\program files\Softwin
2010-08-05 01:55 . 2010-08-05 01:56 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-08-05 00:45 . 2010-08-07 16:46 -------- d-----w- c:\users\Christian\AppData\Roaming\Thunderbird
2010-08-05 00:45 . 2010-08-07 16:45 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-04 01:24 . 2010-08-05 01:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-04 01:24 . 2010-08-04 01:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-04 00:36 . 2010-08-04 00:41 -------- d-----w- c:\programdata\RegCure
2010-08-04 00:36 . 2010-08-04 00:41 -------- d-----w- c:\program files\RegCure
2010-07-29 23:03 . 2010-07-29 23:03 -------- d-----w- c:\program files\RocketDock
2010-07-29 22:57 . 2010-07-29 22:57 -------- d-----w- c:\users\Christian\AppData\Roaming\Doomi.809F847005C7832B69625A614BB25CA209244440.1
2010-07-29 19:08 . 2010-07-29 19:08 -------- d-----w- c:\programdata\Alwil Software
2010-07-29 18:40 . 2010-07-29 18:40 -------- d-----w- c:\program files\Freecorder
2010-07-29 18:25 . 2010-08-04 00:48 -------- d-----w- c:\users\Christian\AppData\Local\FLVService
2010-07-29 18:12 . 2010-07-29 18:12 -------- d-----w- c:\program files\iPod(4662)
2010-07-28 23:14 . 2010-07-28 23:14 -------- d-----w- c:\users\Christian\AppData\Roaming\JGsoft
2010-07-20 03:05 . 2010-07-20 03:05 0 ----a-w- c:\users\Christian\AppData\Local\Azuraxakuq.bin
2010-07-20 03:05 . 2010-07-20 03:05 120 ----a-w- c:\users\Christian\AppData\Local\Gxavez.dat
2010-07-19 20:53 . 2010-08-14 00:05 256 ----a-w- c:\windows\system32\pool.bin
2010-07-19 20:53 . 2010-07-19 20:53 -------- d-----w- c:\users\Christian\AppData\Roaming\Research In Motion
2010-07-19 20:51 . 2009-01-09 22:18 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-07-19 20:50 . 2010-07-19 20:50 69632 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-07-19 20:50 . 2010-07-19 20:50 69632 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\DesktopMgr.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 49152 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{10B9A312-F141-44B9-A2CE-C8379CBBFD14}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-07-19 20:50 . 2010-07-19 20:50 -------- d-----w- c:\programdata\Research In Motion
2010-07-19 20:50 . 2010-07-19 20:57 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-07-19 20:50 . 2010-07-19 20:50 -------- d-----w- c:\program files\Research In Motion
2010-07-19 05:03 . 2010-08-06 20:36 -------- d-----w- c:\users\Christian\AppData\Local\CutePDF Writer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 02:39 . 2009-01-18 02:49 -------- d-----w- c:\programdata\NVIDIA
2010-08-17 21:45 . 2009-08-30 20:38 37301 ----a-w- c:\programdata\nvModes.dat
2010-08-15 18:09 . 2009-01-19 19:28 -------- d-----w- c:\users\Christian\AppData\Roaming\FileZilla
2010-08-15 16:04 . 2009-09-26 02:11 -------- d-----w- c:\program files\Everything
2010-08-14 16:48 . 2009-08-25 01:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-12 05:13 . 2009-06-14 05:22 -------- d-----w- c:\users\Christian\AppData\Roaming\.purple
2010-08-10 23:50 . 2010-06-21 02:00 -------- d-----w- c:\program files\iPod
2010-08-07 18:27 . 2010-02-21 00:59 -------- d-----w- c:\program files\Synthesia
2010-08-07 18:25 . 2009-02-07 00:21 -------- d-----w- c:\program files\Common Files\Apple
2010-08-07 18:15 . 2010-06-21 02:07 -------- d-----w- c:\program files\DigiDNA
2010-08-07 06:35 . 2009-01-18 02:20 1356 ----a-w- c:\users\Christian\AppData\Local\d3d9caps.dat
2010-08-06 21:11 . 2009-12-12 03:48 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-06 18:04 . 2009-03-29 03:17 -------- d-----w- c:\program files\Java
2010-08-06 18:01 . 2009-06-22 04:15 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-06 17:44 . 2009-06-08 03:54 -------- d-----w- c:\program files\Foxit Software
2010-08-05 03:13 . 2009-08-25 01:02 -------- d-----w- c:\programdata\avg8
2010-07-29 22:56 . 2010-03-05 23:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-16 18:31 . 2009-01-18 17:49 -------- d-----w- c:\users\Christian\AppData\Roaming\Dropbox
2010-07-16 05:17 . 2010-06-04 01:15 -------- d-----w- c:\programdata\{C3243856-7746-4A05-8837-51A28C1CDD82}
2010-07-16 03:53 . 2010-06-04 00:28 -------- d-----w- c:\program files\Intel
2010-07-13 17:13 . 2010-07-13 17:13 -------- d-----w- c:\program files\FreeMind
2010-07-06 20:50 . 2010-07-06 20:50 -------- d-----w- c:\users\Christian\AppData\Roaming\Stardock
2010-07-06 20:50 . 2010-07-06 20:50 -------- d-----w- c:\program files\Stardock
2010-06-30 16:47 . 2010-06-30 16:47 -------- d-----w- c:\programdata\FirstClass
2010-06-30 16:47 . 2009-01-18 02:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-30 02:21 . 2010-06-30 02:21 -------- d-----w- c:\users\Christian\AppData\Roaming\Vivox
2010-06-25 17:26 . 2009-08-30 20:35 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-25 17:26 . 2009-04-10 02:19 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-25 17:25 . 2010-06-25 17:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-22 19:49 . 2010-07-16 06:34 3349784 -c--a-w- c:\programdata\{A3A26C56-02C3-4F76-A033-12EE2FB52AE6}\Fences.exe
2010-06-21 02:21 . 2010-06-21 02:07 -------- d-----w- c:\users\Christian\AppData\Roaming\DiskAid
2010-06-21 01:50 . 2010-06-21 01:50 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-20 21:55 . 2010-06-20 21:55 -------- d-----w- c:\program files\MSXML 4.0
2010-06-19 21:54 . 2010-06-18 22:11 -------- d-----w- c:\program files\Inkscape
2010-06-19 20:52 . 2009-01-18 02:21 139088 ----a-w- c:\users\Christian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-15 18:30 . 2009-01-27 18:17 2568 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-15 18:30 . 2009-01-27 18:17 2568 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-12 21:21 . 2010-06-12 21:21 21 ----a-w- c:\users\Christian\DoddleWebPhone.dat
2010-06-07 23:48 . 2010-06-07 23:48 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 23:48 . 2010-06-07 23:48 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 23:48 . 2010-06-07 23:48 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 23:48 . 2010-06-07 23:48 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-28 18:58 . 2009-08-25 02:04 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-05-28 00:45 . 2010-05-28 00:45 892168 ----a-w- c:\programdata\Soluto\Installer\SolutoInstaller.exe
2010-05-26 17:06 . 2010-06-20 21:52 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-20 21:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-22 23:42 . 2010-05-22 23:42 552 ----a-w- c:\users\Christian\AppData\Local\d3d8caps.dat
2010-05-21 20:14 . 2009-10-18 02:46 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-10 21:51 . 2010-04-10 21:51 21508 ------w- c:\program files\.DS_Store
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

------- Sigcheck -------

[-] 2009-06-22 . 690D53BD10A804BB6D0A772D1C0E6907 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Christian\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Thunderbird"="c:\program files\Mozilla Thunderbird\thunderbird -turbo" [X]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-07 886784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2009-9-25 245248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^map.bat]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\map.bat
backup=c:\windows\pss\map.bat.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^map.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\map.lnk
backup=c:\windows\pss\map.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Update Notifier.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Notifier.lnk
backup=c:\windows\pss\Update Notifier.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-06-22 16:58 133104 ----atw- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 22:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 21:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-07 23:48 110696 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 03:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-08-28 13:23 1282048 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundTray]
2007-08-03 00:45 53248 ----a-w- c:\program files\Analog Devices\SoundMAX\SoundTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 11:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44 85160 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 06:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 06:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:cd,78,4d,ed,64,de,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2391873036-318260933-4054704861-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-10-07 94992]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-12-04 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-12-04 25704]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-02-13 691696]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-02 15360]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2009-10-07 115856]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2009-10-07 41424]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2009-10-07 103568]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 23:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391873036-318260933-4054704861-1000Core.job
- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-22 16:58]

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391873036-318260933-4054704861-1000UA.job
- c:\users\Christian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-22 16:58]

2010-06-06 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2009-05-10 16:30]

2010-01-14 c:\windows\Tasks\User_Feed_Synchronization-{2740724F-C9FE-432A-9868-EEF250A866A3}.job
- c:\windows\system32\msfeedssync.exe [2010-06-20 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\
FF - component: c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\v862mytj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\users\Christian\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-17 21:01:29
ComboFix-quarantined-files.txt 2010-08-18 03:01
ComboFix2.txt 2010-08-16 17:26
ComboFix3.txt 2010-08-15 16:35

Pre-Run: 130,542,690,304 bytes free
Post-Run: 130,526,302,208 bytes free

- - End Of File - - 424AB96A77EC14D7BC592129F5D81E4A


#14 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:41 PM

Posted 17 August 2010 - 11:18 PM

Hi there,

Do you have a Windows disk by chance?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#15 Fennec

Fennec
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 17 August 2010 - 11:29 PM

Yes I have the windows vista install disc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users