Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with backdoor.tidserv.l!.inf and ultra.sys


  • This topic is locked This topic is locked
26 replies to this topic

#1 pjinpv

pjinpv

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 16 September 2010 - 09:32 AM

Hi,

I began to have multiple issues a few days ago, primarily with I.E. 8. I would be constantly be redirected, mostly to ad sites, and often to something called "theclickcheck.com" Also, my back button began to work strangely... it would take several rapid clicks to get back from whatever site I was on (and it doesn/t seem to matter where I am trying to go back from.) Often, when I try to follow a link, to a site, I get a message that I have no connection, even though I do. I also tried to install CounterSpy, but got a message, "The System Administrator has set policies to prevent this installation." I am the System Administrator, and the only user of my computer, and have not made any such settings, nor can I find any restrictions in Control Panel/Administrative Tools.

I run Norton AV 2008, version 15.5.0.23, which doesn't find any viruses on my system. I contacted Symantic's chat line, and was advised to run Nortin Power Eraser. It would not connect to the internet. Then they had me run Recovery Utility Tool. I had to download it from another computer, since mine would not connect to the download. In fact, I cannot seem to download nor install some (but not all) other software. So I DL'ed the tool on another computer, made a CD, and ran it on mine. It identified two infections: ultra.sys and backdoor.tidserv.l!.inf. It claimes to have fixed the backdoor, but could not fix the ultra.

On further research, I have learned that ultra.sys is a necessary file authored by microsoft, and so it may be that someone has done a bait and switch on me.

In any event, I still have all the above mentioned issues, and given my experience with Norton, I am not convinced that either infection has been fixed!

Once I get past this, I am considering abandoning my 20+ years of Norton loyalty in favor of agast, but would appreciate advise on the matter of AV protection (free or paid).

As you will see from the logs, I also run Zone Alarm Pro, which is why I have not updated my Norton AV lately... newer versions do not play well with ZA, and norton seems unconcerned about that incompatibility. Their only advise to me was to drop ZA, since they have no plan to fix their incompatability issue.

Logs follow, as per instructions. I will greatly appreciate any assistance you can offer me!

Yours.

pjinpv


DDS (Ver_10-03-17.01) - NTFSx86
Run by Valued Customer at 16:46:27.42 on Wed 09/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.646 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Cobian Backup 6\CobBU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Cobian Backup 6\cobui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Norton\NUA.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Valued Customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/webhp?hl=en
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Video Download Toolbar Helper: {83bd144c-5e53-4e12-8e99-5a7f1bbf3ea0} - c:\program files\video download toolbar\v3.3.0.3\Video_Download_Toolbar.dll
BHO: Video Download Toolbar IE Browser Helper Object: {b29002a0-87a1-4dc4-ac55-5982034eb61e} - c:\progra~1\videod~1\v330~1.3\resour~1\VIDEOD~1.DLL
TB: Authorworks Main: {88651b85-70a6-42d7-96f5-08c9922d67bb} - c:\program files\netmediaone\authorworks editor\ObjectsToolbar.dll
TB: Authorworks Format: {b4e5d5f0-6b07-4455-84e3-8fbf047dcd70} - c:\program files\netmediaone\authorworks editor\FormatToolbar.dll
TB: Power Karaoke Toolbar: {3303e956-2a3a-48e0-be39-2e0ef11a2f44} - c:\program files\power_karaoke\tbPowe.dll
TB: Video Download Toolbar: {e52be12d-a44a-4f51-9dc1-34f37a488cc7} - c:\program files\video download toolbar\v3.3.0.3\Video_Download_Toolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
TB: {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NortonUpdateAgent] c:\documents and settings\all users\application data\norton\NUA.exe
mRun: [Cobian Backup 6] "c:\program files\cobian backup 6\CobBU.exe"
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {0FBBCB47-2A17-4709-8C35-88852005B2C9} - {88651B85-70A6-42D7-96F5-08C9922D67BB} - c:\program files\netmediaone\authorworks editor\ObjectsToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.163.181,93.188.166.181
TCP: {011A29D7-0720-4369-8953-FD0C490F6BA7} = 93.188.163.181,93.188.166.181
TCP: {6E328955-0C7F-485C-BC5F-0143B1A330AC} = 93.188.163.181,93.188.166.181
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\valued~1\applic~1\mozilla\firefox\profiles\7f927aa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\siteranker\firefox\components\siterank.dll
FF - plugin: c:\documents and settings\valued customer\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 MFX;MFX; [x]
R1 SymSMR130;SMR Utility Service 1.3.0;c:\windows\system32\drivers\SymSMR130.SYS [2010-9-15 63536]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-12 280344]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-9-14 312152]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-5-12 200192]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100915.002\NAVENG.SYS [2010-9-15 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100915.002\NAVEX15.SYS [2010-9-15 1362608]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-8 1245064]
S0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.SYS [2006-5-12 52108]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-2 135664]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\valued~1\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\valued~1\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-10-18 20608]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-6-7 23096]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 GSService;GSService;"c:\windows\system32\gsservice.exe" --> c:\windows\system32\GSService.exe [?]
S3 ISD200;USB Storage Adapter V2;c:\windows\system32\drivers\ISD200.SYS [2008-12-10 26930]
S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [2005-1-6 18048]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-6-7 23096]
S3 ZD1211BU(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\system32\drivers\ZD1211BU.sys [2006-10-18 402432]

=============== Created Last 30 ================

2010-09-15 20:36:01 0 ----a-w- c:\documents and settings\valued customer\defogger_reenable
2010-09-15 20:12:06 0 ----a-w- c:\windows\system32\drivers\SymSMR130.dat
2010-09-15 20:12:05 63536 ----a-w- c:\windows\system32\drivers\SymSMR130.SYS
2010-09-15 20:09:43 2400768 --sha-w- c:\documents and settings\valued customer\ntuser.dat.LOG1
2010-09-15 20:09:43 0 --sha-w- c:\documents and settings\valued customer\ntuser.dat.LOG2
2010-09-15 19:25:21 0 d-----w- C:\NBRT
2010-09-14 22:40:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-14 12:26:52 0 d-----w- c:\docume~1\valued~1\applic~1\IObit
2010-09-14 12:26:50 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-09-14 12:26:47 0 d-----w- c:\program files\IObit
2010-09-14 11:57:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 11:26:25 0 d-----w- c:\program files\W3i, LLC
2010-09-13 22:49:10 471102 -c--a-w- c:\windows\system32\dllcache\imskdic.dll
2010-09-13 22:49:09 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe
2010-09-13 22:49:08 45109 -c--a-w- c:\windows\system32\dllcache\imjpuex.exe
2010-09-13 22:49:06 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-09-13 22:49:04 44032 -c--a-w- c:\windows\system32\dllcache\imekrmig.exe
2010-09-13 22:49:04 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2010-09-13 22:49:04 102463 -c--a-w- c:\windows\system32\dllcache\imepadsm.dll
2010-09-13 22:49:02 6656 -c--a-w- c:\windows\system32\dllcache\iissync.exe
2010-09-13 22:49:02 134339 -c--a-w- c:\windows\system32\dllcache\imekr.lex
2010-09-13 22:49:01 3584 -c--a-w- c:\windows\system32\dllcache\iismui.dll
2010-09-13 22:49:01 19456 -c--a-w- c:\windows\system32\dllcache\iiscrmap.dll
2010-09-13 22:49:00 60928 -c--a-w- c:\windows\system32\dllcache\iisclex4.dll
2010-09-13 22:47:59 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-09-13 22:46:59 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2010-09-13 22:45:59 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-09-13 22:44:58 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-09-13 22:43:58 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-09-13 22:42:57 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-09-13 22:41:55 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2010-09-13 22:40:59 66082 -c--a-w- c:\windows\system32\dllcache\c_1140.nls
2010-09-13 22:39:59 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-09-13 22:37:38 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-09-13 22:37:28 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-09-13 22:37:16 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-09-13 22:37:16 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-09-13 22:37:15 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-09-13 22:37:14 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-09-13 22:37:14 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-09-13 22:37:13 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-09-13 22:37:07 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2010-09-09 16:15:24 11 ----a-r- c:\windows\amunres.lsl
2010-09-09 15:39:31 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-09-09 01:43:59 186368 ----a-w- c:\windows\Udukoa.exe
2010-09-08 14:16:50 0 d-----w- c:\temp\DMTemp
2010-09-07 14:07:03 10 ---ha-w- C:\yvikit.vlr
2010-09-07 14:06:53 0 d-----w- c:\program files\videofixer

==================== Find3M ====================

2010-09-15 23:21:09 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2010-09-12 10:36:03 28276 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2010-08-14 23:38:56 5632 --sha-w- c:\program files\Thumbs.db
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2008-11-27 22:42:14 104 ----a-w- c:\program files\Internet.lnk
2008-03-07 00:18:21 18562 ----a-w- c:\program files\irunin.ini
2008-03-07 00:18:13 8154 ----a-w- c:\program files\irunin.bmp
2008-03-07 00:18:13 28994 ----a-w- c:\program files\irunin.dat
2008-03-07 00:18:13 15938 ----a-w- c:\program files\irunin.lng
2006-05-17 00:53:46 1208 ----a-w- c:\program files\fancy_dvd.fluxdvd
2005-01-09 16:50:46 3693 --sha-w- c:\windows\rreg32.dll
2005-01-09 16:50:46 2332 --sha-w- c:\windows\utapi32.dll
2005-07-14 16:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2005-02-28 17:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2008-08-18 00:27:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 16:49:44.73 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 22 September 2010 - 01:46 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 24 September 2010 - 11:09 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 pjinpv

pjinpv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 25 September 2010 - 02:18 PM

Gringo,

Thanks for your help... this thing has been driving me crazy!

DDS log and RKUnHooker logs are below.

I ran scandisk a few days ago, and it found and fixed a couple things. The result is that I can now install new software, which I could not do before.

Still problematic:

I use I.E., Google Chrome, and Firefox. These issues happen with all 3, but more often with I.E.

1. I get redirected to ad sites, and frequently to "theclickcheck.com"

If I want to use the back button, I have to hit it three or four times to get it to back out of whatever site I am on.

Often, portions of a site are missing, and a "cannot connect" error message appears in their places.

Sometimes, if I try to follow a link to a site, I will get a connection error message. If I use the reload button, the site will then load.

Lately, I have been redirected to a site that wants to scan my computer for viruses. It says:

Warning! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate antiviruses check!
Antivirus 2010 will perform a quick and free online checking of your PC

In general, browsers are running slower than normal.

Thanks for any help you can offer!

The logs:

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Valued Customer at 11:56:51.42 on Sat 09/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.684 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Cobian Backup 6\CobBU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Cobian Backup 6\cobui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\MDM.EXE
C:\Documents and Settings\Valued Customer\Desktop\bleeping computer files\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/webhp?hl=en
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Video Download Toolbar Helper: {83bd144c-5e53-4e12-8e99-5a7f1bbf3ea0} - c:\program files\video download toolbar\v3.3.0.3\Video_Download_Toolbar.dll
BHO: Video Download Toolbar IE Browser Helper Object: {b29002a0-87a1-4dc4-ac55-5982034eb61e} - c:\progra~1\videod~1\v330~1.3\resour~1\VIDEOD~1.DLL
TB: Authorworks Main: {88651b85-70a6-42d7-96f5-08c9922d67bb} - c:\program files\netmediaone\authorworks editor\ObjectsToolbar.dll
TB: Authorworks Format: {b4e5d5f0-6b07-4455-84e3-8fbf047dcd70} - c:\program files\netmediaone\authorworks editor\FormatToolbar.dll
TB: Power Karaoke Toolbar: {3303e956-2a3a-48e0-be39-2e0ef11a2f44} - c:\program files\power_karaoke\tbPowe.dll
TB: Video Download Toolbar: {e52be12d-a44a-4f51-9dc1-34f37a488cc7} - c:\program files\video download toolbar\v3.3.0.3\Video_Download_Toolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
TB: {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [Cobian Backup 6] "c:\program files\cobian backup 6\CobBU.exe"
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {0FBBCB47-2A17-4709-8C35-88852005B2C9} - {88651B85-70A6-42D7-96F5-08C9922D67BB} - c:\program files\netmediaone\authorworks editor\ObjectsToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.163.181,93.188.166.181
TCP: {011A29D7-0720-4369-8953-FD0C490F6BA7} = 93.188.163.181,93.188.166.181
TCP: {6E328955-0C7F-485C-BC5F-0143B1A330AC} = 93.188.163.181,93.188.166.181
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\valued~1\applic~1\mozilla\firefox\profiles\7f927aa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\siteranker\firefox\components\siterank.dll
FF - plugin: c:\documents and settings\valued customer\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 MFX;MFX; [x]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-12 280344]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-9-14 312152]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-5-12 200192]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100924.040\NAVENG.SYS [2010-9-25 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100924.040\NAVEX15.SYS [2010-9-25 1362608]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-8 1245064]
S0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.SYS [2006-5-12 52108]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-2 135664]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\valued~1\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\valued~1\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-10-18 20608]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-6-7 23096]
S3 GSService;GSService;"c:\windows\system32\gsservice.exe" --> c:\windows\system32\GSService.exe [?]
S3 ISD200;USB Storage Adapter V2;c:\windows\system32\drivers\ISD200.SYS [2008-12-10 26930]
S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [2005-1-6 18048]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-6-7 23096]
S3 ZD1211BU(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\system32\drivers\ZD1211BU.sys [2006-10-18 402432]
S4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]

=============== Created Last 30 ================

2010-09-22 16:51:54 0 d-----w- c:\documents and settings\valued customer\dwhelper
2010-09-22 15:26:52 294009 ----a-w- c:\windows\Video_Download_Toolbar_Uninstaller_1296.exe
2010-09-22 13:53:32 0 d-----w- c:\program files\common files\Macrovision Shared
2010-09-19 21:47:33 0 ----a-w- c:\windows\system32\ü=ü=
2010-09-16 22:36:24 294009 ----a-w- c:\windows\Video_Download_Toolbar_Uninstaller_2796.exe
2010-09-15 20:36:01 0 ----a-w- c:\documents and settings\valued customer\defogger_reenable
2010-09-15 20:09:43 2400768 --sha-w- c:\documents and settings\valued customer\ntuser.dat.LOG1
2010-09-15 20:09:43 0 --sha-w- c:\documents and settings\valued customer\ntuser.dat.LOG2
2010-09-15 19:25:21 0 d-----w- C:\NBRT
2010-09-14 22:40:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-14 12:26:52 0 d-----w- c:\docume~1\valued~1\applic~1\IObit
2010-09-14 12:26:50 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-09-14 12:26:47 0 d-----w- c:\program files\IObit
2010-09-14 11:57:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 11:26:25 0 d-----w- c:\program files\W3i, LLC
2010-09-13 22:49:10 471102 -c--a-w- c:\windows\system32\dllcache\imskdic.dll
2010-09-13 22:49:09 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe
2010-09-13 22:49:08 45109 -c--a-w- c:\windows\system32\dllcache\imjpuex.exe
2010-09-13 22:49:06 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-09-13 22:49:04 44032 -c--a-w- c:\windows\system32\dllcache\imekrmig.exe
2010-09-13 22:49:04 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2010-09-13 22:49:04 102463 -c--a-w- c:\windows\system32\dllcache\imepadsm.dll
2010-09-13 22:49:02 6656 -c--a-w- c:\windows\system32\dllcache\iissync.exe
2010-09-13 22:49:02 134339 -c--a-w- c:\windows\system32\dllcache\imekr.lex
2010-09-13 22:49:01 3584 -c--a-w- c:\windows\system32\dllcache\iismui.dll
2010-09-13 22:49:01 19456 -c--a-w- c:\windows\system32\dllcache\iiscrmap.dll
2010-09-13 22:49:00 60928 -c--a-w- c:\windows\system32\dllcache\iisclex4.dll
2010-09-13 22:47:59 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-09-13 22:46:59 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2010-09-13 22:45:59 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-09-13 22:44:58 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-09-13 22:43:58 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-09-13 22:42:57 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-09-13 22:41:55 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2010-09-13 22:40:59 66082 -c--a-w- c:\windows\system32\dllcache\c_1140.nls
2010-09-13 22:39:59 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-09-13 22:37:38 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-09-13 22:37:28 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-09-13 22:37:16 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-09-13 22:37:16 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-09-13 22:37:15 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-09-13 22:37:14 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-09-13 22:37:14 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-09-13 22:37:13 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-09-13 22:37:07 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2010-09-09 16:15:24 11 ----a-r- c:\windows\amunres.lsl
2010-09-09 15:39:31 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-09-08 14:16:50 0 d-----w- c:\temp\DMTemp
2010-09-07 14:07:03 10 ---ha-w- C:\yvikit.vlr
2010-09-07 14:06:53 0 d-----w- c:\program files\videofixer

==================== Find3M ====================

2010-09-22 16:53:30 571080 ----a-w- c:\windows\system32\FNTCACHE.DAT
2010-09-15 23:21:09 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2010-09-12 10:36:03 28276 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2010-08-14 23:38:56 5632 --sha-w- c:\program files\Thumbs.db
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2008-11-27 22:42:14 104 ----a-w- c:\program files\Internet.lnk
2008-03-07 00:18:21 18562 ----a-w- c:\program files\irunin.ini
2008-03-07 00:18:13 8154 ----a-w- c:\program files\irunin.bmp
2008-03-07 00:18:13 28994 ----a-w- c:\program files\irunin.dat
2008-03-07 00:18:13 15938 ----a-w- c:\program files\irunin.lng
2006-05-17 00:53:46 1208 ----a-w- c:\program files\fancy_dvd.fluxdvd
2005-01-09 16:50:46 3693 --sha-w- c:\windows\rreg32.dll
2005-01-09 16:50:46 2332 --sha-w- c:\windows\utapi32.dll
2005-07-14 16:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2005-02-28 17:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2008-08-18 00:27:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 11:59:28.81 ===============




RKUnhooker log:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2310144 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAD081000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100924.040\NAVEX15.SYS 1359872 bytes (Symantec Corporation, AV Engine)
0xB9A32000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1200128 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xB96CC000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1040384 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB9E18000 IASTOR.SYS 872448 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xB9620000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 704512 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xBF2E6000 C:\WINDOWS\System32\ativvaxx.dll 606208 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xB9CBF000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB50D8000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB519B000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 458752 bytes (Symantec Corporation, SPBBC Driver)
0xB507A000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB9542000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB9915000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 372736 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xB537E000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB19CA000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB981F000 C:\WINDOWS\system32\drivers\camc6hal.sys 352256 bytes (Conexant Systems Inc., Conexant AmcHal Driver)
0xB09F9000 C:\WINDOWS\System32\Drivers\SRTSP.SYS 299008 bytes (Symantec Corporation, Symantec AutoProtect)
0xB52AA000 C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20100915.004\SymIDSCo.sys 290816 bytes (Symantec Corporation, IDS Core Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB523F000 C:\WINDOWS\System32\vsdatant.sys 274432 bytes (Zone Labs LLC, TrueVector Device Driver)
0xB1D4C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 245760 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xB99E5000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 233472 bytes (Marvell, NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller)
0xBF04E000 C:\WINDOWS\System32\ati2cqag.dll 204800 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF080000 C:\WINDOWS\System32\atikvmag.dll 204800 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB97CA000 C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys 200704 bytes (Conexant Systems, Inc., HSFHWATI WDM driver)
0xB95C8000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9970000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 188416 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB9C92000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB9DBB000 dac2w2k.sys 180224 bytes (Mylex Corporation, Mylex Disk Array Controller Driver)
0xB5352000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 180224 bytes (Symantec Corporation, Network Dispatch Driver)
0xB5170000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB5282000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F05000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB532C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB5307000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xB4FDE000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB97FB000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB99C1000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB999E000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB521D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9D9B000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9F4A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xAFA64000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xB9BD8000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9DE7000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport)
0xB9E00000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9EED000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9D72000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9609000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB52F1000 C:\WINDOWS\System32\Drivers\SYMFW.SYS 90112 bytes (Symantec Corporation, Firewall Filter Driver)
0xB1DB0000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xAD06D000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100924.040\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xB9A1E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB9D4C000 DefragFS.sys 77824 bytes (Raxco Software, Inc., Defragmentation Support Driver)
0xB53D7000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9D5F000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9D89000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB95F8000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB4F5E000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA298000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA1D8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA258000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 61440 bytes (Advanced Micro Devices, AMD Processor Driver)
0xB9C02000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA2E8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB1E25000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB9C32000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA108000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport)
0xBA0D8000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport)
0xBA168000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xAF383000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA188000 MFX.sys 49152 bytes
0xBA148000 ql12160.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xBA138000 ql1280.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xBA318000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA1F8000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xBA228000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter)
0xBA208000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter)
0xBA218000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xB9895000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA288000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA308000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xADF31000 C:\WINDOWS\system32\DRIVERS\sbp2port.sys 45056 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0xBA1B8000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xBA2D8000 C:\WINDOWS\system32\drivers\camc6aud.sys 40960 bytes (Conexant Systems Inc., Conexant WDM AC97 Audio Driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB9C62000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA178000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA128000 ql1080.sys 40960 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xBA0F8000 ql1240.sys 40960 bytes (Microsoft Corporation, QLogic ISP PCI Adapters)
0xBA1A8000 sisagp.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xB98E5000 C:\WINDOWS\System32\Drivers\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xB9C72000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA158000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB94AA000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB9C82000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA278000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAD1ED000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA0E8000 ql10wnt.sys 36864 bytes (Microsoft Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xBA118000 ultra.sys 36864 bytes (Promise Technology, Inc., Promise Ultra66 Miniport Driver)
0xB9C22000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA480000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA4B0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA358000 symc8xx.sys 32768 bytes (LSI Logic, Symbios 8XX SCSI Miniport Driver)
0xB540A000 C:\WINDOWS\System32\Drivers\SYMIDS.SYS 32768 bytes (Symantec Corporation, IDS Filter Driver)
0xB5452000 C:\WINDOWS\System32\Drivers\SYMNDIS.SYS 32768 bytes (Symantec Corporation, NDIS Filter Driver)
0xBA368000 sym_u3.sys 32768 bytes (LSI Logic, Symbios Ultra3 SCSI Miniport Driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA340000 asc.sys 28672 bytes (Advanced System Products, Inc., AdvanSys SCSI Controller Driver)
0xBA428000 C:\WINDOWS\System32\Drivers\ElbyCDFL.sys 28672 bytes (SlySoft, Inc., ElbyCDIO Filter Driver)
0xBA468000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA390000 hpn.sys 28672 bytes (Microsoft Corporation, NetRAID-4M Miniport Driver)
0xBA440000 C:\WINDOWS\System32\Drivers\MxlW2k.SYS 28672 bytes (MusicMatch, Inc., MusicMatch Access Layer KMD)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA388000 perc2.sys 28672 bytes (Microsoft Corporation, PERC 2 Miniport Driver)
0xBA360000 sym_hi.sys 28672 bytes (LSI Logic, Symbios Hi-Perf SCSI Miniport Driver)
0xBA450000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA370000 ABP480N5.SYS 24576 bytes (Microsoft Corporation, AdvanSys SCSI Controller Driver)
0xBA378000 asc3350p.sys 24576 bytes (Microsoft Corporation, AdvanSys SCSI Card Driver)
0xBA490000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB5432000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA478000 C:\WINDOWS\system32\DRIVERS\SymIM.sys 24576 bytes (Symantec Corporation, NDIS Intermediate Driver)
0xBA488000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB5412000 C:\WINDOWS\System32\Drivers\ASPI32.SYS 20480 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xBA380000 dpti2o.sys 20480 bytes (Microsoft Corporation, DPT SmartRAID miniport)
0xBA3B8000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 20480 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xBA350000 i2omp.sys 20480 bytes (Microsoft Corporation, I2O Miniport Driver)
0xBA348000 mraid35x.sys 20480 bytes (American Megatrends Inc., MegaRAID RAID Controller Driver for Windows Whistler 32)
0xBA4A0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA408000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA420000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA338000 sparrow.sys 20480 bytes (Adaptec, Inc., Adaptec AIC-6x60 series SCSI miniport)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xB5442000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4CC000 aha154x.sys 16384 bytes (Microsoft Corporation, Adaptec AHA-154x series SCSI miniport)
0xBA4DC000 asc3550.sys 16384 bytes (Advanced System Products, Inc., AdvanSys Ultra-Wide PCI SCSI Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA4E4000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver)
0xB9BA0000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA4C8000 cpqarray.sys 16384 bytes (Microsoft Corporation, Compaq Drive Array Controllers SCSI Miniport Driver)
0xBA4D4000 dac960nt.sys 16384 bytes (Microsoft Corporation, Mylex Disk Array Controller Driver)
0xB1EFD000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xBA4E0000 ini910u.sys 16384 bytes (Microsoft Corporation, INITIO ini910u SCSI miniport)
0xBA560000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB260C000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4D0000 symc810.sys 16384 bytes (Symbios Logic Inc., Symbios Logic Inc. SCSI Miniport Driver)
0xB9B6F000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 16384 bytes (Symantec Corporation, Redirector Filter Driver)
0xB0A5A000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xBA4D8000 amsint.sys 12288 bytes (Microsoft Corporation, AMD SCSI/NET Controller)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB516C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB5158000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB9BB4000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB1C39000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xB5148000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9B7B000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9BA4000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5AC000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xBA5E4000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5B8000 cd20xrnt.sys 8192 bytes (Microsoft Corporation, IBM Portable CD-ROM Drive Miniport)
0xBA5AE000 cmdide.sys 8192 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0xBA5B6000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5E0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5B4000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5E8000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5BA000 perc2hib.sys 8192 bytes (Microsoft Corporation, PERC 2 Hibernate Driver)
0xBA5EC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5D8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5F0000 C:\WINDOWS\System32\Drivers\SYMDNS.SYS 8192 bytes (Symantec Corporation, DNS Filter Driver)
0xBA5B0000 toside.sys 8192 bytes (Microsoft Corporation, Toshiba PCI IDE Controller)
0xBA5D0000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5B2000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA695000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6DA000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp))
0xBA6DB000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp))
0xBA719000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6DF000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8A0D7AEA ?_empty_? 1302 bytes
0x8A0D7EC5 unknown_irp_handler 315 bytes
!!!!!!!!!!!Hidden driver: 0x8A092278 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xB9E00000 WARNING: suspicious driver modification [atapi.sys::0x8A0D7AEA]
0xBA118000 WARNING: Virus alike driver modification [ultra.sys], 36864 bytes





#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 25 September 2010 - 02:44 PM

Greetings

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.
QUOTE
Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.
QUOTE
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt


Note** If you recieve this error please reboot the computer
"Illegal operation attempted on a registery key that has been marked for deletion."


"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 pjinpv

pjinpv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 25 September 2010 - 04:55 PM

Gringo,

I followed your instructions, downloaded ComboFix.exe. I disabled my internet connection, disabled Zone Alarm and Norton AV, and I have no other spyware or adware running. I clicked on combofix, and got the first screen with the RUN button. But when I try to run it, nothing happens.

Any advise?

Thanks for your help!



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 25 September 2010 - 05:03 PM

Hello

ok lets try this


Rename combofix:

Please download Combofix from one of these locations:
    Link 1
    Link 2
    Link 3

    You must rename it before saving it... Rename it: Gringo . See images below. Save it to your desktop.




    Please disable any Antivirus and Firewall you have active, as shown in this topic. Please close all open application windows.

    Double click on Gringo & follow the prompts.
      Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
      Do Not touch your computer when ComboFix is running!
    When finished,Notepad will open and ComboxFix will produce a log file.
    Please copy/paste the contents of this log in your next reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 pjinpv

pjinpv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 25 September 2010 - 08:59 PM

Gringo,

combofixit.txt is pasted in below. The browsers seem to be back up to speed, but I am still being redirected to ad sites, and to "theclickcheck.com".

It took me a few tries to successfully run Combofix. At one point, it said that it had to beboot, and when it did, ComboFix appeared in a DOS window, but after an hour, it had not progressed, and windows did not finish opening. I closed the combofix window, and windows immediately came back. I ran combofix again, and it completed its scan in a few minutes, resulting in the .txt file below.

And so it appears that I still have some sort of bug that is redirecting me.

Again, thanks for your attentiveness.

Paul

ComboFix 10-09-25.05 - Valued Customer 09/25/2010 21:00:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.938 [GMT -4:00]
Running from: c:\documents and settings\Valued Customer\Desktop\bleeping computer files\GringoFix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Valued Customer\Application Data\twain_32
c:\documents and settings\Valued Customer\Application Data\twain_32\user.ds
c:\windows\ali.exe
c:\windows\jestertb.dll
c:\windows\system32\Ijl11.dll
c:\windows\winhelp.ini
F:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ultra.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-08-26 to 2010-09-26 )))))))))))))))))))))))))))))))
.

2010-09-22 16:51 . 2010-09-24 12:59 -------- d-----w- c:\documents and settings\Valued Customer\dwhelper
2010-09-22 15:26 . 2010-09-22 15:26 294009 ----a-w- c:\windows\Video_Download_Toolbar_Uninstaller_1296.exe
2010-09-22 14:00 . 2010-09-23 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-09-22 13:58 . 2010-09-22 13:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-22 13:53 . 2010-09-22 13:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-09-16 22:36 . 2010-09-16 22:36 294009 ----a-w- c:\windows\Video_Download_Toolbar_Uninstaller_2796.exe
2010-09-15 19:25 . 2010-09-15 23:21 -------- d-----w- C:\NBRT
2010-09-14 22:40 . 2010-09-14 22:40 -------- d-----w- c:\program files\Alwil Software
2010-09-14 22:40 . 2010-09-14 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-14 16:47 . 2010-09-14 16:47 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-09-14 16:47 . 2010-09-14 16:47 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-14 16:45 . 2010-09-14 16:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2010-09-14 16:24 . 2010-09-14 16:24 -------- d-----w- c:\documents and settings\Valued Customer\Local Settings\Application Data\NPE
2010-09-14 12:26 . 2010-09-25 22:00 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\IObit
2010-09-14 12:26 . 2010-09-14 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-09-14 12:26 . 2010-09-25 22:00 -------- d-----w- c:\program files\IObit
2010-09-14 11:57 . 2010-09-14 12:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 11:26 . 2010-09-14 11:26 -------- d-----w- c:\program files\W3i, LLC
2010-09-13 22:49 . 2004-08-10 19:00 471102 -c--a-w- c:\windows\system32\dllcache\imskdic.dll
2010-09-13 22:49 . 2004-08-10 19:00 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe
2010-09-13 22:49 . 2004-08-10 19:00 45109 -c--a-w- c:\windows\system32\dllcache\imjpuex.exe
2010-09-13 22:49 . 2004-08-10 19:00 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-09-13 22:49 . 2004-08-10 19:00 44032 -c--a-w- c:\windows\system32\dllcache\imekrmig.exe
2010-09-13 22:49 . 2004-08-10 19:00 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2010-09-13 22:49 . 2004-08-10 19:00 102463 -c--a-w- c:\windows\system32\dllcache\imepadsm.dll
2010-09-13 22:49 . 2004-08-10 19:00 6656 -c--a-w- c:\windows\system32\dllcache\iissync.exe
2010-09-13 22:49 . 2004-08-10 19:00 3584 -c--a-w- c:\windows\system32\dllcache\iismui.dll
2010-09-13 22:49 . 2004-08-10 19:00 19456 -c--a-w- c:\windows\system32\dllcache\iiscrmap.dll
2010-09-13 22:49 . 2004-08-10 19:00 60928 -c--a-w- c:\windows\system32\dllcache\iisclex4.dll
2010-09-13 22:47 . 2001-08-17 17:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-09-13 22:46 . 2001-08-18 02:36 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2010-09-13 22:45 . 2001-08-17 16:14 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-09-13 22:44 . 2001-08-17 16:19 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-09-13 22:43 . 2001-08-17 16:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-09-13 22:42 . 2001-08-18 02:36 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-09-13 22:41 . 2001-08-18 02:36 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2010-09-13 22:40 . 2001-08-17 17:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-09-13 22:39 . 2001-08-17 18:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-09-13 22:37 . 2004-08-10 19:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-09-13 22:37 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-09-13 22:37 . 2004-08-10 19:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-09-13 22:37 . 2004-08-10 19:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-09-13 22:37 . 2004-08-10 19:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-09-13 22:37 . 2004-08-10 19:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-09-13 22:37 . 2004-08-10 19:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-09-13 22:37 . 2004-08-10 19:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-09-09 15:39 . 2010-09-09 15:39 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-09-09 00:10 . 2010-09-09 00:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-08 14:16 . 2010-09-08 14:21 -------- d-----w- c:\temp\DMTemp
2010-09-07 14:06 . 2010-09-07 14:06 -------- d-----w- c:\program files\videofixer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 23:32 . 2006-05-13 00:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-25 19:34 . 2006-11-25 18:57 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\dvdcss
2010-09-25 14:49 . 2006-05-12 23:19 -------- d-----w- c:\program files\Google
2010-09-24 11:24 . 2008-10-08 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-22 16:34 . 2010-09-22 16:55 14863872 ----a-w- c:\windows\Internet Logs\xDB1D0.tmp
2010-09-22 14:00 . 2005-01-10 01:26 178240 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-22 13:59 . 2006-05-12 23:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-22 13:21 . 2006-05-13 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-09-17 16:11 . 2010-09-17 18:16 62976 ----a-w- c:\windows\Internet Logs\xDB1CF.tmp
2010-09-17 14:33 . 2010-09-17 18:15 14622720 ----a-w- c:\windows\Internet Logs\xDB1CE.tmp
2010-09-16 13:22 . 2010-09-16 13:28 24064 ----a-w- c:\windows\Internet Logs\xDB1CD.tmp
2010-09-16 13:14 . 2010-09-16 13:27 14614016 ----a-w- c:\windows\Internet Logs\xDB1CC.tmp
2010-09-16 03:29 . 2010-09-16 03:32 25088 ----a-w- c:\windows\Internet Logs\xDB1CB.tmp
2010-09-16 03:24 . 2010-09-16 03:32 14619136 ----a-w- c:\windows\Internet Logs\xDB1CA.tmp
2010-09-15 23:21 . 2006-05-12 21:55 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2010-09-15 23:07 . 2010-09-15 23:21 23040 ----a-w- c:\windows\Internet Logs\xDB1C9.tmp
2010-09-15 21:46 . 2010-09-15 23:21 14601728 ----a-w- c:\windows\Internet Logs\xDB1C8.tmp
2010-09-15 21:25 . 2010-09-15 21:28 19968 ----a-w- c:\windows\Internet Logs\xDB1C7.tmp
2010-09-15 21:24 . 2010-09-15 21:28 14601728 ----a-w- c:\windows\Internet Logs\xDB1C6.tmp
2010-09-15 21:12 . 2010-09-15 21:15 27648 ----a-w- c:\windows\Internet Logs\xDB1C5.tmp
2010-09-15 20:59 . 2010-09-15 21:15 14616576 ----a-w- c:\windows\Internet Logs\xDB1C4.tmp
2010-09-15 19:54 . 2010-09-15 20:00 54784 ----a-w- c:\windows\Internet Logs\xDB1C3.tmp
2010-09-15 19:45 . 2010-09-15 20:00 14612992 ----a-w- c:\windows\Internet Logs\xDB1C2.tmp
2010-09-15 15:16 . 2010-09-15 15:41 14578688 ----a-w- c:\windows\Internet Logs\xDB1C1.tmp
2010-09-15 14:01 . 2010-09-15 14:43 35328 ----a-w- c:\windows\Internet Logs\xDB1C0.tmp
2010-09-15 14:01 . 2010-09-15 14:43 14595584 ----a-w- c:\windows\Internet Logs\xDB1BF.tmp
2010-09-15 12:16 . 2006-11-02 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-09-14 22:37 . 2010-07-19 20:32 452104 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\setup.exe
2010-09-14 20:16 . 2010-09-14 20:32 136704 ----a-w- c:\windows\Internet Logs\xDB1BE.tmp
2010-09-14 20:04 . 2010-09-14 20:31 14553600 ----a-w- c:\windows\Internet Logs\xDB1BD.tmp
2010-09-14 01:36 . 2010-09-14 01:56 14510592 ----a-w- c:\windows\Internet Logs\xDB1BC.tmp
2010-09-13 21:09 . 2010-09-13 21:28 14503936 ----a-w- c:\windows\Internet Logs\xDB1BB.tmp
2010-09-13 20:39 . 2010-09-13 20:49 14505472 ----a-w- c:\windows\Internet Logs\xDB1BA.tmp
2010-09-12 10:36 . 2008-12-10 19:05 28276 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2010-09-10 15:03 . 2009-12-21 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-09-10 14:51 . 2010-09-10 15:03 14488064 ----a-w- c:\windows\Internet Logs\xDB1B8.tmp
2010-09-10 14:51 . 2010-09-10 15:03 25600 ----a-w- c:\windows\Internet Logs\xDB1B9.tmp
2010-09-10 12:57 . 2010-09-10 13:09 63488 ----a-w- c:\windows\Internet Logs\xDB1B7.tmp
2010-09-10 12:49 . 2010-09-10 13:09 14486016 ----a-w- c:\windows\Internet Logs\xDB1B6.tmp
2010-09-09 16:16 . 2010-09-09 16:28 14582272 ----a-w- c:\windows\Internet Logs\xDB1B4.tmp
2010-09-09 16:15 . 2010-09-09 16:29 31232 ----a-w- c:\windows\Internet Logs\xDB1B5.tmp
2010-09-09 16:15 . 2008-08-18 19:52 -------- d-----w- c:\program files\WM Converter
2010-09-09 16:10 . 2006-11-22 18:01 -------- d-----w- c:\program files\mp3 to wma converter
2010-09-09 16:09 . 2007-12-06 01:42 -------- d-----w- c:\program files\DVDVideoSoft
2010-09-09 16:09 . 2007-12-06 01:42 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-09 16:08 . 2009-12-21 19:28 -------- d-----w- c:\program files\Acro Software
2010-09-09 16:07 . 2008-07-25 15:34 -------- d-----w- c:\program files\AVS4YOU
2010-09-09 15:39 . 2009-05-28 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-09-09 15:16 . 2010-09-09 15:34 14462976 ----a-w- c:\windows\Internet Logs\xDB1B2.tmp
2010-09-09 15:15 . 2010-09-09 15:35 143872 ----a-w- c:\windows\Internet Logs\xDB1B3.tmp
2010-09-07 19:40 . 2009-12-15 23:53 1819504 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-08-31 02:38 . 2010-08-31 02:48 14341632 ----a-w- c:\windows\Internet Logs\xDB1B0.tmp
2010-08-31 02:38 . 2010-08-31 02:49 1956352 ----a-w- c:\windows\Internet Logs\xDB1B1.tmp
2010-08-31 00:59 . 2010-08-31 01:10 2993152 ----a-w- c:\windows\Internet Logs\xDB1AF.tmp
2010-08-31 00:58 . 2010-08-31 01:09 14445568 ----a-w- c:\windows\Internet Logs\xDB1AE.tmp
2010-08-31 00:17 . 2009-11-28 20:50 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Azureus
2010-08-19 20:39 . 2010-08-19 20:39 310208 ----a-w- c:\documents and settings\Valued Customer\Application Data\Azureus\plugins\mlab\ShaperProbeC.exe
2010-08-14 23:38 . 2009-06-15 00:02 5632 --sha-w- c:\program files\Thumbs.db
2010-08-12 07:22 . 2009-07-31 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-11 12:16 . 2010-09-13 20:43 289826 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-08-11 11:40 . 2010-08-11 11:56 127488 ----a-w- c:\windows\Internet Logs\xDB1AD.tmp
2010-08-11 04:14 . 2010-08-11 11:55 14258688 ----a-w- c:\windows\Internet Logs\xDB1AC.tmp
2010-08-10 16:56 . 2010-08-10 16:56 -------- d-----w- c:\program files\ffdshow
2010-08-10 16:56 . 2006-10-27 15:22 -------- d-----w- c:\program files\WinPcap
2010-08-10 16:54 . 2010-08-10 16:54 -------- d-----w- c:\program files\FLVCodec
2010-08-10 16:52 . 2009-06-08 00:18 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\GetRightToGo
2010-08-09 17:43 . 2007-12-06 01:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-02 00:09 . 2010-08-02 10:53 132608 ----a-w- c:\windows\Internet Logs\xDB1AB.tmp
2010-08-01 23:29 . 2010-08-02 10:52 14205952 ----a-w- c:\windows\Internet Logs\xDB1AA.tmp
2010-07-26 14:37 . 2010-07-26 14:47 63488 ----a-w- c:\windows\Internet Logs\xDB1A9.tmp
2010-07-26 08:01 . 2010-07-26 14:47 14197760 ----a-w- c:\windows\Internet Logs\xDB1A8.tmp
2010-07-21 14:47 . 2010-07-21 15:04 837632 ----a-w- c:\windows\Internet Logs\xDB1A7.tmp
2010-07-21 14:45 . 2010-07-21 15:04 14156800 ----a-w- c:\windows\Internet Logs\xDB1A6.tmp
2010-07-14 07:28 . 2010-07-14 07:28 317960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-13 04:35 . 2010-07-13 04:34 26641904 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\rp\RealPlayerSPGold.exe
2010-07-13 04:34 . 2010-07-13 04:34 220272 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-07-13 04:34 . 2010-07-13 04:34 149000 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\chr_helper\LaunchHelper.exe
2010-07-13 04:34 . 2010-07-13 04:33 13407072 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\chr\ChromeInstaller.exe
2010-07-13 04:33 . 2010-07-13 04:33 79368 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\vista.exe
2010-07-13 04:33 . 2010-07-13 04:33 73344 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi_v6.dll
2010-07-13 04:33 . 2010-07-13 04:33 64000 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\gcapi_dll.dll
2010-07-13 04:33 . 2010-07-13 04:33 52288 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi.dll
2010-07-13 04:33 . 2010-07-13 04:33 122880 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\compat.dll
2010-06-30 12:31 . 2006-05-12 21:54 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-29 20:31 . 2010-03-10 03:28 439816 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.10\setup.exe
2008-11-27 22:42 . 2008-11-27 22:42 104 ----a-w- c:\program files\Internet.lnk
2008-03-07 00:18 . 2008-03-07 00:18 18562 ----a-w- c:\program files\irunin.ini
2008-03-07 00:18 . 2008-03-07 00:18 8154 ----a-w- c:\program files\irunin.bmp
2008-03-07 00:18 . 2008-03-07 00:18 28994 ----a-w- c:\program files\irunin.dat
2008-03-07 00:18 . 2008-03-07 00:18 15938 ----a-w- c:\program files\irunin.lng
2006-05-17 00:53 . 2006-05-17 00:52 1208 ----a-w- c:\program files\fancy_dvd.fluxdvd
2005-01-09 16:50 . 2005-01-09 16:50 3693 --sha-w- c:\windows\rreg32.dll
2005-01-09 16:50 . 2005-01-09 16:50 2332 --sha-w- c:\windows\utapi32.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83BD144C-5E53-4E12-8E99-5A7F1BBF3EA0}]
2010-09-22 15:26 815104 ----a-w- c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B29002A0-87A1-4DC4-AC55-5982034EB61E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3303e956-2a3a-48e0-be39-2e0ef11a2f44}"= "c:\program files\Power_Karaoke\tbPowe.dll" [2008-02-14 1555480]
"{E52BE12D-A44A-4F51-9DC1-34F37A488CC7}"= "c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll" [2010-09-22 815104]

[HKEY_CLASSES_ROOT\clsid\{3303e956-2a3a-48e0-be39-2e0ef11a2f44}]

[HKEY_CLASSES_ROOT\clsid\{e52be12d-a44a-4f51-9dc1-34f37a488cc7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3303E956-2A3A-48E0-BE39-2E0EF11A2F44}"= "c:\program files\Power_Karaoke\tbPowe.dll" [2008-02-14 1555480]
"{E52BE12D-A44A-4F51-9DC1-34F37A488CC7}"= "c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll" [2010-09-22 815104]

[HKEY_CLASSES_ROOT\clsid\{3303e956-2a3a-48e0-be39-2e0ef11a2f44}]

[HKEY_CLASSES_ROOT\clsid\{e52be12d-a44a-4f51-9dc1-34f37a488cc7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-08-06 2348752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 6"="c:\program files\Cobian Backup 6\CobBU.exe" [2005-01-14 418816]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-01-26 902936]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-20 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hawking Wireless Utility.lnk]
backup=c:\windows\pss\Hawking Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Valued Customer^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Valued Customer^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=c:\windows\pss\palmOne Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChoiceMail
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadMSvcmm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McafWelcome
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-15 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 20:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
2005-02-21 11:21 192512 ----a-w- c:\program files\Lexmark 3300 Series\lxccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2004-02-02 17:58 139264 ----a-w- c:\program files\Lexmark\Lexmark Precision Photo\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2006-11-14 17:22 121640 ----a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2002-10-31 14:55 131072 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2009-03-10 20:07 323216 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-06-02 20:03 1957888 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-10-20 13:58 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteRanker]
2009-12-08 10:33 279552 ----a-w- c:\program files\SiteRanker\SiteRankTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 07:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
2004-05-26 21:57 139264 ----a-w- c:\program files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-11-05 12:47 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-05 12:47 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-20 13:57 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBCSSvc"=2 (0x2)
"rpcapd"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"PrismXL"=2 (0x2)
"lxbs_device"=3 (0x3)
"lxcc_device"=3 (0x3)
"Kodak AiO Network Discovery Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Parsons Technology\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 MFX;MFX; [x]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 6:06 AM 169312]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [9/14/2010 8:26 AM 312152]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [1/25/2008 5:47 PM 149352]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [5/12/2006 3:49 PM 200192]
S0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.SYS [5/12/2006 7:59 PM 52108]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/2/2010 4:34 AM 135664]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\VALUED~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\VALUED~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 6:32 PM 23888]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [6/7/2009 7:50 PM 23096]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S3 GSService;GSService;"c:\windows\system32\GSService.exe" --> c:\windows\system32\GSService.exe [?]
S3 ISD200;USB Storage Adapter V2;c:\windows\system32\drivers\ISD200.SYS [12/10/2008 3:10 PM 26930]
S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [1/6/2005 6:10 AM 18048]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [6/7/2009 9:02 PM 23096]
S3 ZD1211BU(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\system32\drivers\ZD1211BU.sys [10/18/2006 9:19 AM 402432]
S4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 1:49 PM 284016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 19:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-09-03 c:\windows\Tasks\debutDowngrade.job
- c:\program files\NCH Software\Debut\debut.exe [2010-05-27 12:16]

2010-08-26 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-05-27 12:16]

2010-09-03 c:\windows\Tasks\flashlynxDowngrade.job
- c:\program files\NCH Software\FlashLynx\flashlynx.exe [2010-05-27 12:17]

2010-08-26 c:\windows\Tasks\flashlynxShakeIcon.job
- c:\program files\NCH Software\FlashLynx\flashlynx.exe [2010-05-27 12:17]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:33]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:33]

2010-09-25 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Valued Customer.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 10:05]

2010-09-25 c:\windows\Tasks\User_Feed_Synchronization-{BD3E56E1-6BFD-4746-AF50-E11F27A683AA}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2010-09-25 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-03-22 12:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
FF - ProfilePath - c:\documents and settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\7f927aa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\SiteRanker\firefox\components\siterank.dll
FF - plugin: c:\documents and settings\Valued Customer\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-EXPStudio Audio Editor FREE 4.0.1 - c:\windows\EXPStudio Audio Editor FREE 4.0.1
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Valued Customer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\MFX.sys 50892 bytes executable
C:\secure
C:\SYZ_DAT

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,60,d2,d2,43,42,58,45,98,fd,5e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,60,d2,d2,43,42,58,45,98,fd,5e,\

[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{44C55471-29DE-0B04-CF54-594FFCFEF0C0}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaijaelapopgnkkdbh"=hex:6a,61,6e,65,65,6d,65,61,6b,66,70,6c,68,66,69,66,64,6d,
6a,64,00,01
"haclngmckghjdaii"=hex:6a,61,6a,65,69,67,65,6d,6f,65,62,66,6a,61,6d,6e,69,65,
6b,70,00,01

[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{47B49258-9C0C-4470-5B39-9A30728A1773}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaecfhjdldhgdbpchbdcjgmemkgcmi"=hex:64,61,65,61,63,62,68,6f,00,60
"oaandlfbhfienegpogchfpancaifmh"=hex:6a,61,65,61,65,62,68,6d,6e,63,67,66,65,62,
63,62,62,62,6d,70,00,fd
"naccljnlcejoikddkfldhblgoimh"=hex:6a,61,65,61,65,62,68,6d,6e,63,67,66,65,62,
63,62,62,62,6d,70,00,fd

[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{64C4A4F8-8A94-C81A-A3C2-990B5A38E6CA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oabmjcggapcfdonljiaaljefefcjfl"=hex:63,61,67,70,6a,70,00,7c
"oafmjodkkkildppdagpngnolgfmpfp"=hex:69,61,68,70,66,6f,6e,6c,62,62,64,67,68,68,
6e,6f,65,70,00,00
"napgdpeakpbgnahnbafijloamcdn"=hex:69,61,6c,6e,69,68,66,65,6d,70,69,6a,61,68,
68,63,6d,6b,00,00

[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D4BC331-9425-2494-A942-6ABD5C8D5617}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"maehneplagojephjaefekdpmdm"=hex:6a,61,63,66,70,64,66,6c,6d,6d,6f,62,6f,65,66,
6e,70,6e,65,6a,00,18
"laehneplagelknigjkfmilmi"=hex:69,61,6d,62,62,63,62,6e,67,63,6d,65,63,67,6d,6b,
6c,67,00,80

[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C5396B-2D8B-58B0-C6F3-E747D604FBB1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iafoahfoboagganaak"=hex:6a,61,64,67,6d,6c,63,63,66,6d,67,6e,62,6b,6d,6b,68,6b,
66,6a,00,01
"happgollhfdmokdh"=hex:6a,61,66,6a,68,62,66,6b,67,67,70,64,67,69,63,68,65,6c,
6d,6e,00,01

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\mpDRM\LicenseStore*]
@DACL=
"CheckValue"=dword:ba3464ba
"DA39A3EE"="E5E6B4B0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(368)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-25 21:11:25
ComboFix-quarantined-files.txt 2010-09-26 01:11

Pre-Run: 71,423,721,472 bytes free
Post-Run: 71,657,938,944 bytes free

- - End Of File - - B7E80FE587EFBF826C4EB26EDCA6AF92


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 25 September 2010 - 10:23 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\Internet Logs\xDB1CF.tmp
c:\windows\Internet Logs\xDB1CE.tmp
c:\windows\Internet Logs\xDB1CD.tmp
c:\windows\Internet Logs\xDB1CC.tmp
c:\windows\Internet Logs\xDB1CB.tmp
c:\windows\Internet Logs\xDB1CA.tmp
c:\windows\Internet Logs\xDB1C9.tmp
c:\windows\Internet Logs\xDB1C8.tmp
c:\windows\Internet Logs\xDB1C7.tmp
c:\windows\Internet Logs\xDB1C6.tmp
c:\windows\Internet Logs\xDB1C5.tmp
c:\windows\Internet Logs\xDB1C4.tmp
c:\windows\Internet Logs\xDB1C3.tmp
c:\windows\Internet Logs\xDB1C2.tmp
c:\windows\Internet Logs\xDB1C1.tmp
c:\windows\Internet Logs\xDB1C0.tmp
c:\windows\Internet Logs\xDB1BF.tmp
c:\windows\Internet Logs\xDB1BE.tmp
c:\windows\Internet Logs\xDB1BD.tmp
c:\windows\Internet Logs\xDB1BC.tmp
c:\windows\Internet Logs\xDB1BB.tmp
c:\windows\Internet Logs\xDB1BA.tmp
c:\windows\Internet Logs\xDB1B8.tmp
c:\windows\Internet Logs\xDB1B9.tmp
c:\windows\Internet Logs\xDB1B7.tmp
c:\windows\Internet Logs\xDB1B6.tmp
c:\windows\Internet Logs\xDB1B4.tmp
c:\windows\Internet Logs\xDB1B5.tmp
c:\windows\Internet Logs\xDB1B2.tmp
c:\windows\Internet Logs\xDB1B3.tmp
c:\windows\Internet Logs\xDB1B0.tmp
c:\windows\Internet Logs\xDB1B1.tmp
c:\windows\Internet Logs\xDB1AF.tmp
c:\windows\Internet Logs\xDB1AE.tmp
c:\windows\Internet Logs\xDB1AD.tmp
c:\windows\Internet Logs\xDB1AC.tmp
c:\windows\Internet Logs\xDB1AB.tmp
c:\windows\Internet Logs\xDB1AA.tmp
c:\windows\Internet Logs\xDB1A9.tmp
c:\windows\Internet Logs\xDB1A8.tmp
c:\windows\Internet Logs\xDB1A7.tmp
c:\windows\Internet Logs\xDB1A6.tmp

RegNull::
[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{44C55471-29DE-0B04-CF54-594FFCFEF0C0}*]
[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{47B49258-9C0C-4470-5B39-9A30728A1773}*]
[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{64C4A4F8-8A94-C81A-A3C2-990B5A38E6CA}*]
[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D4BC331-9425-2494-A942-6ABD5C8D5617}*]
[HKEY_USERS\S-1-5-21-1875837520-1353903572-987929904-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C5396B-2D8B-58B0-C6F3-E747D604FBB1}*]


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 27 September 2010 - 11:13 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 pjinpv

pjinpv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 28 September 2010 - 06:42 AM

Sorry for the delay in responding... I thought that I had done so earlier.

It appears that the remaining issue is redirection. My browser (I use I.E., Firefox, and Google Chrome, and all three are effected) redirects to a variety of advertizing sites. Most prevalent is one that poses as a virus scan, and prompts me to download a "fix." Of course, I do not do so. I either back out, or close the browser and start over. This seems to happen whether I type in the URL of the site I want to see, or follow a link. It happens randomly, regardless of what site I am seeking to visit.

Thanks for hanging in with me!

ComboFix.txt:

ComboFix 10-09-25.07 - Valued Customer 09/26/2010 6:48.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.908 [GMT -4:00]
Running from: c:\documents and settings\Valued Customer\Desktop\bleeping computer files\GringoFix.exe
Command switches used :: c:\documents and settings\Valued Customer\Desktop\bleeping computer files\CFScript.txt
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Internet Logs\xDB1A6.tmp"
"c:\windows\Internet Logs\xDB1A7.tmp"
"c:\windows\Internet Logs\xDB1A8.tmp"
"c:\windows\Internet Logs\xDB1A9.tmp"
"c:\windows\Internet Logs\xDB1AA.tmp"
"c:\windows\Internet Logs\xDB1AB.tmp"
"c:\windows\Internet Logs\xDB1AC.tmp"
"c:\windows\Internet Logs\xDB1AD.tmp"
"c:\windows\Internet Logs\xDB1AE.tmp"
"c:\windows\Internet Logs\xDB1AF.tmp"
"c:\windows\Internet Logs\xDB1B0.tmp"
"c:\windows\Internet Logs\xDB1B1.tmp"
"c:\windows\Internet Logs\xDB1B2.tmp"
"c:\windows\Internet Logs\xDB1B3.tmp"
"c:\windows\Internet Logs\xDB1B4.tmp"
"c:\windows\Internet Logs\xDB1B5.tmp"
"c:\windows\Internet Logs\xDB1B6.tmp"
"c:\windows\Internet Logs\xDB1B7.tmp"
"c:\windows\Internet Logs\xDB1B8.tmp"
"c:\windows\Internet Logs\xDB1B9.tmp"
"c:\windows\Internet Logs\xDB1BA.tmp"
"c:\windows\Internet Logs\xDB1BB.tmp"
"c:\windows\Internet Logs\xDB1BC.tmp"
"c:\windows\Internet Logs\xDB1BD.tmp"
"c:\windows\Internet Logs\xDB1BE.tmp"
"c:\windows\Internet Logs\xDB1BF.tmp"
"c:\windows\Internet Logs\xDB1C0.tmp"
"c:\windows\Internet Logs\xDB1C1.tmp"
"c:\windows\Internet Logs\xDB1C2.tmp"
"c:\windows\Internet Logs\xDB1C3.tmp"
"c:\windows\Internet Logs\xDB1C4.tmp"
"c:\windows\Internet Logs\xDB1C5.tmp"
"c:\windows\Internet Logs\xDB1C6.tmp"
"c:\windows\Internet Logs\xDB1C7.tmp"
"c:\windows\Internet Logs\xDB1C8.tmp"
"c:\windows\Internet Logs\xDB1C9.tmp"
"c:\windows\Internet Logs\xDB1CA.tmp"
"c:\windows\Internet Logs\xDB1CB.tmp"
"c:\windows\Internet Logs\xDB1CC.tmp"
"c:\windows\Internet Logs\xDB1CD.tmp"
"c:\windows\Internet Logs\xDB1CE.tmp"
"c:\windows\Internet Logs\xDB1CF.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\xDB1A6.tmp
c:\windows\Internet Logs\xDB1A7.tmp
c:\windows\Internet Logs\xDB1A8.tmp
c:\windows\Internet Logs\xDB1A9.tmp
c:\windows\Internet Logs\xDB1AA.tmp
c:\windows\Internet Logs\xDB1AB.tmp
c:\windows\Internet Logs\xDB1AC.tmp
c:\windows\Internet Logs\xDB1AD.tmp
c:\windows\Internet Logs\xDB1AE.tmp
c:\windows\Internet Logs\xDB1AF.tmp
c:\windows\Internet Logs\xDB1B0.tmp
c:\windows\Internet Logs\xDB1B1.tmp
c:\windows\Internet Logs\xDB1B2.tmp
c:\windows\Internet Logs\xDB1B3.tmp
c:\windows\Internet Logs\xDB1B4.tmp
c:\windows\Internet Logs\xDB1B5.tmp
c:\windows\Internet Logs\xDB1B6.tmp
c:\windows\Internet Logs\xDB1B7.tmp
c:\windows\Internet Logs\xDB1B8.tmp
c:\windows\Internet Logs\xDB1B9.tmp
c:\windows\Internet Logs\xDB1BA.tmp
c:\windows\Internet Logs\xDB1BB.tmp
c:\windows\Internet Logs\xDB1BC.tmp
c:\windows\Internet Logs\xDB1BD.tmp
c:\windows\Internet Logs\xDB1BE.tmp
c:\windows\Internet Logs\xDB1BF.tmp
c:\windows\Internet Logs\xDB1C0.tmp
c:\windows\Internet Logs\xDB1C1.tmp
c:\windows\Internet Logs\xDB1C2.tmp
c:\windows\Internet Logs\xDB1C3.tmp
c:\windows\Internet Logs\xDB1C4.tmp
c:\windows\Internet Logs\xDB1C5.tmp
c:\windows\Internet Logs\xDB1C6.tmp
c:\windows\Internet Logs\xDB1C7.tmp
c:\windows\Internet Logs\xDB1C8.tmp
c:\windows\Internet Logs\xDB1C9.tmp
c:\windows\Internet Logs\xDB1CA.tmp
c:\windows\Internet Logs\xDB1CB.tmp
c:\windows\Internet Logs\xDB1CC.tmp
c:\windows\Internet Logs\xDB1CD.tmp
c:\windows\Internet Logs\xDB1CE.tmp
c:\windows\Internet Logs\xDB1CF.tmp

.
((((((((((((((((((((((((( Files Created from 2010-08-26 to 2010-09-26 )))))))))))))))))))))))))))))))
.

2010-09-26 10:33 . 2010-09-26 10:33 -------- d-----w- c:\windows\LastGood
2010-09-26 02:23 . 2010-09-26 02:23 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-22 16:51 . 2010-09-24 12:59 -------- d-----w- c:\documents and settings\Valued Customer\dwhelper
2010-09-22 15:26 . 2010-09-22 15:26 294009 ----a-w- c:\windows\Video_Download_Toolbar_Uninstaller_1296.exe
2010-09-22 14:00 . 2010-09-23 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-09-22 13:58 . 2010-09-22 13:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-22 13:53 . 2010-09-22 13:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-09-16 22:36 . 2010-09-16 22:36 294009 ----a-w- c:\windows\Video_Download_Toolbar_Uninstaller_2796.exe
2010-09-15 19:25 . 2010-09-15 23:21 -------- d-----w- C:\NBRT
2010-09-14 22:40 . 2010-09-14 22:40 -------- d-----w- c:\program files\Alwil Software
2010-09-14 22:40 . 2010-09-14 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-14 16:47 . 2010-09-14 16:47 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-09-14 16:47 . 2010-09-14 16:47 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-14 16:45 . 2010-09-14 16:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2010-09-14 16:24 . 2010-09-14 16:24 -------- d-----w- c:\documents and settings\Valued Customer\Local Settings\Application Data\NPE
2010-09-14 12:26 . 2010-09-25 22:00 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\IObit
2010-09-14 12:26 . 2010-09-14 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-09-14 12:26 . 2010-09-25 22:00 -------- d-----w- c:\program files\IObit
2010-09-14 11:57 . 2010-09-14 12:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 11:26 . 2010-09-14 11:26 -------- d-----w- c:\program files\W3i, LLC
2010-09-13 22:49 . 2004-08-10 19:00 471102 -c--a-w- c:\windows\system32\dllcache\imskdic.dll
2010-09-13 22:49 . 2004-08-10 19:00 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe
2010-09-13 22:49 . 2004-08-10 19:00 45109 -c--a-w- c:\windows\system32\dllcache\imjpuex.exe
2010-09-13 22:49 . 2004-08-10 19:00 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-09-13 22:49 . 2004-08-10 19:00 44032 -c--a-w- c:\windows\system32\dllcache\imekrmig.exe
2010-09-13 22:49 . 2004-08-10 19:00 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2010-09-13 22:49 . 2004-08-10 19:00 102463 -c--a-w- c:\windows\system32\dllcache\imepadsm.dll
2010-09-13 22:49 . 2004-08-10 19:00 6656 -c--a-w- c:\windows\system32\dllcache\iissync.exe
2010-09-13 22:49 . 2004-08-10 19:00 3584 -c--a-w- c:\windows\system32\dllcache\iismui.dll
2010-09-13 22:49 . 2004-08-10 19:00 19456 -c--a-w- c:\windows\system32\dllcache\iiscrmap.dll
2010-09-13 22:49 . 2004-08-10 19:00 60928 -c--a-w- c:\windows\system32\dllcache\iisclex4.dll
2010-09-13 22:47 . 2001-08-17 17:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-09-13 22:46 . 2001-08-18 02:36 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2010-09-13 22:45 . 2001-08-17 16:14 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-09-13 22:44 . 2001-08-17 16:19 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-09-13 22:43 . 2001-08-17 16:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-09-13 22:42 . 2001-08-18 02:36 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-09-13 22:41 . 2001-08-18 02:36 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2010-09-13 22:40 . 2001-08-17 17:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-09-13 22:39 . 2001-08-17 18:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-09-13 22:37 . 2004-08-10 19:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-09-13 22:37 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-09-13 22:37 . 2004-08-10 19:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-09-13 22:37 . 2004-08-10 19:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-09-13 22:37 . 2004-08-10 19:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-09-13 22:37 . 2004-08-10 19:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-09-13 22:37 . 2004-08-10 19:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-09-13 22:37 . 2004-08-10 19:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-09-09 15:39 . 2010-09-09 15:39 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-09-09 00:10 . 2010-09-09 00:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-08 14:16 . 2010-09-08 14:21 -------- d-----w- c:\temp\DMTemp
2010-09-07 14:06 . 2010-09-07 14:06 -------- d-----w- c:\program files\videofixer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 10:26 . 2006-05-13 00:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-25 19:34 . 2006-11-25 18:57 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\dvdcss
2010-09-25 14:49 . 2006-05-12 23:19 -------- d-----w- c:\program files\Google
2010-09-24 11:24 . 2008-10-08 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-22 16:34 . 2010-09-22 16:55 14863872 ----a-w- c:\windows\Internet Logs\xDB1D0.tmp
2010-09-22 14:00 . 2005-01-10 01:26 178240 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-22 13:59 . 2006-05-12 23:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-22 13:21 . 2006-05-13 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-09-15 23:21 . 2006-05-12 21:55 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2010-09-15 12:16 . 2006-11-02 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-09-14 22:37 . 2010-07-19 20:32 452104 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\setup.exe
2010-09-12 10:36 . 2008-12-10 19:05 28276 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2010-09-10 15:03 . 2009-12-21 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-09-09 16:15 . 2008-08-18 19:52 -------- d-----w- c:\program files\WM Converter
2010-09-09 16:10 . 2006-11-22 18:01 -------- d-----w- c:\program files\mp3 to wma converter
2010-09-09 16:09 . 2007-12-06 01:42 -------- d-----w- c:\program files\DVDVideoSoft
2010-09-09 16:09 . 2007-12-06 01:42 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-09 16:08 . 2009-12-21 19:28 -------- d-----w- c:\program files\Acro Software
2010-09-09 16:07 . 2008-07-25 15:34 -------- d-----w- c:\program files\AVS4YOU
2010-09-09 15:39 . 2009-05-28 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-09-07 19:40 . 2009-12-15 23:53 1819504 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-08-31 00:17 . 2009-11-28 20:50 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Azureus
2010-08-19 20:39 . 2010-08-19 20:39 310208 ----a-w- c:\documents and settings\Valued Customer\Application Data\Azureus\plugins\mlab\ShaperProbeC.exe
2010-08-14 23:38 . 2009-06-15 00:02 5632 --sha-w- c:\program files\Thumbs.db
2010-08-12 07:22 . 2009-07-31 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-11 12:16 . 2010-09-13 20:43 289826 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-08-10 16:56 . 2010-08-10 16:56 -------- d-----w- c:\program files\ffdshow
2010-08-10 16:56 . 2006-10-27 15:22 -------- d-----w- c:\program files\WinPcap
2010-08-10 16:54 . 2010-08-10 16:54 -------- d-----w- c:\program files\FLVCodec
2010-08-10 16:52 . 2009-06-08 00:18 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\GetRightToGo
2010-08-09 17:43 . 2007-12-06 01:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-14 07:28 . 2010-07-14 07:28 317960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-13 04:35 . 2010-07-13 04:34 26641904 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\rp\RealPlayerSPGold.exe
2010-07-13 04:34 . 2010-07-13 04:34 220272 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-07-13 04:34 . 2010-07-13 04:34 149000 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\chr_helper\LaunchHelper.exe
2010-07-13 04:34 . 2010-07-13 04:33 13407072 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\chr\ChromeInstaller.exe
2010-07-13 04:33 . 2010-07-13 04:33 79368 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\vista.exe
2010-07-13 04:33 . 2010-07-13 04:33 73344 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi_v6.dll
2010-07-13 04:33 . 2010-07-13 04:33 64000 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\gcapi_dll.dll
2010-07-13 04:33 . 2010-07-13 04:33 52288 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi.dll
2010-07-13 04:33 . 2010-07-13 04:33 122880 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.12\RUP\inst_config\compat.dll
2010-06-30 12:31 . 2006-05-12 21:54 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-29 20:31 . 2010-03-10 03:28 439816 ----a-w- c:\documents and settings\Valued Customer\Application Data\Real\Update\setup3.10\setup.exe
2008-11-27 22:42 . 2008-11-27 22:42 104 ----a-w- c:\program files\Internet.lnk
2008-03-07 00:18 . 2008-03-07 00:18 18562 ----a-w- c:\program files\irunin.ini
2008-03-07 00:18 . 2008-03-07 00:18 8154 ----a-w- c:\program files\irunin.bmp
2008-03-07 00:18 . 2008-03-07 00:18 28994 ----a-w- c:\program files\irunin.dat
2008-03-07 00:18 . 2008-03-07 00:18 15938 ----a-w- c:\program files\irunin.lng
2006-05-17 00:53 . 2006-05-17 00:52 1208 ----a-w- c:\program files\fancy_dvd.fluxdvd
2005-01-09 16:50 . 2005-01-09 16:50 3693 --sha-w- c:\windows\rreg32.dll
2005-01-09 16:50 . 2005-01-09 16:50 2332 --sha-w- c:\windows\utapi32.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83BD144C-5E53-4E12-8E99-5A7F1BBF3EA0}]
2010-09-22 15:26 815104 ----a-w- c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B29002A0-87A1-4DC4-AC55-5982034EB61E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3303e956-2a3a-48e0-be39-2e0ef11a2f44}"= "c:\program files\Power_Karaoke\tbPowe.dll" [2008-02-14 1555480]
"{E52BE12D-A44A-4F51-9DC1-34F37A488CC7}"= "c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll" [2010-09-22 815104]

[HKEY_CLASSES_ROOT\clsid\{3303e956-2a3a-48e0-be39-2e0ef11a2f44}]

[HKEY_CLASSES_ROOT\clsid\{e52be12d-a44a-4f51-9dc1-34f37a488cc7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3303E956-2A3A-48E0-BE39-2E0EF11A2F44}"= "c:\program files\Power_Karaoke\tbPowe.dll" [2008-02-14 1555480]
"{E52BE12D-A44A-4F51-9DC1-34F37A488CC7}"= "c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll" [2010-09-22 815104]

[HKEY_CLASSES_ROOT\clsid\{3303e956-2a3a-48e0-be39-2e0ef11a2f44}]

[HKEY_CLASSES_ROOT\clsid\{e52be12d-a44a-4f51-9dc1-34f37a488cc7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 6"="c:\program files\Cobian Backup 6\CobBU.exe" [2005-01-14 418816]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-01-26 902936]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-20 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hawking Wireless Utility.lnk]
backup=c:\windows\pss\Hawking Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Valued Customer^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Valued Customer^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-15 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 20:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
2005-02-21 11:21 192512 ----a-w- c:\program files\Lexmark 3300 Series\lxccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2004-02-02 17:58 139264 ----a-w- c:\program files\Lexmark\Lexmark Precision Photo\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2006-11-14 17:22 121640 ----a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2002-10-31 14:55 131072 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2009-03-10 20:07 323216 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-06-02 20:03 1957888 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-10-20 13:58 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteRanker]
2009-12-08 10:33 279552 ----a-w- c:\program files\SiteRanker\SiteRankTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 07:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
2004-05-26 21:57 139264 ----a-w- c:\program files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-11-05 12:47 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-05 12:47 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-20 13:57 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBCSSvc"=2 (0x2)
"rpcapd"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"PrismXL"=2 (0x2)
"lxbs_device"=3 (0x3)
"lxcc_device"=3 (0x3)
"Kodak AiO Network Discovery Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Parsons Technology\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 MFX;MFX; [x]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [5/12/2006 3:49 PM 200192]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\VALUED~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\VALUED~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 6:32 PM 23888]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [6/7/2009 7:50 PM 23096]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S3 ISD200;USB Storage Adapter V2;c:\windows\system32\drivers\ISD200.SYS [12/10/2008 3:10 PM 26930]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 19:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-09-03 c:\windows\Tasks\debutDowngrade.job
- c:\program files\NCH Software\Debut\debut.exe [2010-05-27 12:16]

2010-08-26 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-05-27 12:16]

2010-09-03 c:\windows\Tasks\flashlynxDowngrade.job
- c:\program files\NCH Software\FlashLynx\flashlynx.exe [2010-05-27 12:17]

2010-08-26 c:\windows\Tasks\flashlynxShakeIcon.job
- c:\program files\NCH Software\FlashLynx\flashlynx.exe [2010-05-27 12:17]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:33]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:33]

2010-09-25 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Valued Customer.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 10:05]

2010-09-26 c:\windows\Tasks\User_Feed_Synchronization-{BD3E56E1-6BFD-4746-AF50-E11F27A683AA}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2010-09-25 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-03-22 12:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
FF - ProfilePath - c:\documents and settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\7f927aa0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\SiteRanker\firefox\components\siterank.dll
FF - plugin: c:\documents and settings\Valued Customer\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-26 07:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\MFX.sys 50892 bytes executable
C:\secure
C:\SYZ_DAT

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,60,d2,d2,43,42,58,45,98,fd,5e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,60,d2,d2,43,42,58,45,98,fd,5e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\mpDRM\LicenseStore*]
@DACL=
"CheckValue"=dword:ba3464ba
"DA39A3EE"="E5E6B4B0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-26 08:16:55
ComboFix-quarantined-files.txt 2010-09-26 12:15
ComboFix2.txt 2010-09-26 01:11

Pre-Run: 71,581,933,568 bytes free
Post-Run: 71,561,691,136 bytes free

- - End Of File - - B218BB4FB92233A08DFDA1E86D181885


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 28 September 2010 - 08:32 AM

we are going to check the router

Create and Run Batch File
    Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
CODE
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
    Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

    It should look like this: <--XP
    Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 pjinpv

pjinpv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 28 September 2010 - 09:54 AM

I ran the router.bat. The results:

Windows IP Configuration



Host Name . . . . . . . . . . . . : YOUR-1677FE830B

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : twcny.rr.com



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : twcny.rr.com

Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter

Physical Address. . . . . . . . . : 00-C0-A8-AE-1F-36

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.103

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

213.109.65.68

213.109.75.214

Lease Obtained. . . . . . . . . . : Tuesday, September 28, 2010 9:53:02 AM

Lease Expires . . . . . . . . . . : Wednesday, September 29, 2010 9:53:02 AM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller

Physical Address. . . . . . . . . : 00-03-25-34-D0-3A

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Address: 173.194.34.104

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 69.147.125.65
67.195.160.76



Pinging google.com [173.194.34.104] with 32 bytes of data:



Reply from 173.194.34.104: bytes=32 time=50ms TTL=53

Reply from 173.194.34.104: bytes=32 time=51ms TTL=53



Ping statistics for 173.194.34.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 50ms, Maximum = 51ms, Average = 50ms



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=52ms TTL=51

Reply from 67.195.160.76: bytes=32 time=53ms TTL=51



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 52ms, Maximum = 53ms, Average = 52ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 a8 ae 1f 36 ...... Broadcom 802.11g Network Adapter - Packet Scheduler Miniport
0x3 ...00 03 25 34 d0 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.103 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.103 192.168.1.103 25
192.168.1.103 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.103 192.168.1.103 25
224.0.0.0 240.0.0.0 192.168.1.103 192.168.1.103 25
255.255.255.255 255.255.255.255 192.168.1.103 3 1
255.255.255.255 255.255.255.255 192.168.1.103 192.168.1.103 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 AM

Posted 28 September 2010 - 10:29 AM

Hello

Yes it looks like the DNS settings on the router have been changed.

Resetting Router

Letís try to reset the router to its default configuration.
  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you donít know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

flush the DNS:

Now lets flush the DNS on the computer:
  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:
      ipconfig /flushdns

Now lets check the router again

Create and Run Batch File
    Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
CODE
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
    Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

    It should look like this: <--XP
    Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 pjinpv

pjinpv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 28 September 2010 - 12:41 PM

I reset the router, and after a bit of fumbling around, managed to get all three computers to reconnect (one wired and two wireless, all from the linksys router).

I then reset the password at linksys's administration site.

I flushed the dns on all three computers, and re-ran the batch file you provided.

It should only take a half hour or so to determine whether I am still being redirected, though it makes sense to me that the router was the issue, since all three of my computers began to misbehave at about the same time. I will post again soon to let you know how it's going. Here are the results of the batch file:

Windows IP Configuration



Host Name . . . . . . . . . . . . : YOUR-1677FE830B

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : twcny.rr.com



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller

Physical Address. . . . . . . . . : 00-03-25-34-D0-3A



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : twcny.rr.com

Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter

Physical Address. . . . . . . . . : 00-C0-A8-AE-1F-36

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

209.18.47.61

209.18.47.62

Lease Obtained. . . . . . . . . . : Tuesday, September 28, 2010 1:06:41 PM

Lease Expires . . . . . . . . . . : Wednesday, September 29, 2010 1:06:41 PM

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 72.14.204.104, 72.14.204.147, 72.14.204.99, 72.14.204.103

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65



Pinging google.com [72.14.204.147] with 32 bytes of data:



Reply from 72.14.204.147: bytes=32 time=47ms TTL=52

Reply from 72.14.204.147: bytes=32 time=51ms TTL=52



Ping statistics for 72.14.204.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 47ms, Maximum = 51ms, Average = 49ms



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=54ms TTL=52

Reply from 69.147.125.65: bytes=32 time=51ms TTL=52



Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 51ms, Maximum = 54ms, Average = 52ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 03 25 34 d0 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
0x20002 ...00 c0 a8 ae 1f 36 ...... Broadcom 802.11g Network Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 25
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 25
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 25
255.255.255.255 255.255.255.255 192.168.1.100 3 1
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users