Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista wont start up, possible virus problem?


  • This topic is locked This topic is locked
38 replies to this topic

#1 Residual

Residual

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 03 November 2010 - 06:40 PM

Okay so I first posted about this on the Vista forum and was told to make a new post here. I'm afraid I can't GET to any of my scans to run them and post logs but I'm still hoping someone might have an idea of what's going on...

Here's the original post.

But I'll copy and paste:

Starting from the beginning. My mom got into a fake virus scan maleware two weeks ago. I managed to knock out the bulk of it out but something stayed behind because afterwards I kept getting ‘Host Process Failed’ error messages and my web searches began getting redirecting all the time. I tried Malewarebytes, Adaware, SUPERantispyware and Spybot to get rid of it but nothing changed. Unfortunately I’ve been super busy and haven’t had a lot of time to screw around with it so I’ve just been working around it to get my work done till I found the time.

Well two days ago my computer began running slowly. Yesterday it was even slower and began freezing up. I had to hold down the tower button a couple times to restart it.
Now, the computer is kept on the floor in our ‘laundry/office room’ so dust is a problem. Sometimes it collects in the fans and causes the computer to run slow and hum. Since I hadn’t cleaned it in a while I decided this might be the problem and disconnected everything and cleaned it out using a can of air and a vaccum (ALWAYS super careful not to touch any of the boards or pull on wires - I’ve done it several times before) though it actually wasn’t that dusty at all. I finished and hooked it back up, triple checking everything was in its right place, and started it up.

So, here’s the issue:
It hums to life in the normal way, all the power lights are go, and brings you to the blue HP start-up page with the F9-F10 startup options (normal), then after a few seconds that goes away and brings you to a black screen, and stays there (not normal!) At the top, left hand corner of the screen is a blinking horizontal line (cursor?)
I restarted it and pressed F8 for Safe Mode, and it took a good 15-20 minutes before the Safe Mode Options screen finally popped up. I selected Start in Safe Mode and it ran the screen that shows the files loading up, then froze and nothing happened.
I also tried starting up on ‘The last good configuration’ and got a black screen.
Last I tried the System Restore option, but it told me I had no restore points, even though I just made one the day before.
I second guessed myself and opened the computer back up and rechecked that all that cables and wires inside were plugged in and not knocked loose and it was all secure…

Basically I’m not sure what’s to blame here. Was it the virus? Was it the last forced shut down? Or was it something I did cleaning the computer?

I BELIEVE I have Vista Home Basic, and use a wired HP computer.
What do I do?
Any and all help is appreciated!

My brother-in-law ended up coming out and fixing it for me. Couldn't tell you what he did for sure I was at work at the time. No replies required. I will however be back with some logs to get down to the matter of the virus, though.

EDIT: Posts merged ~BP

Got one of those AV Security Suite viruses about 3 weeks ago. I managed to get rid of the scan and several Trojans that came with it, but I'm still getting redirected and an error message that comes up that says "Host process for windows services stopped working and was closed". All this results in really is the style of windows changing to be more blocky and 'classic' looking (sorry if that doesn't make sense, not sure how to put it heh)

I've done scans with Malwarebytes, Ad-aware, Spybot, SUPERAntiSpyware and AVG 2011 Free Edition and they generally say they couldn't find anything except for the occasional Tracking Cookies, sooooo I'm here! Asking for your help.

I ran the DDS scan and posted the results below, and ATTEMPTED the GMER scan. On all 3 attempts, however, the scan froze when it reached the file "SOFTWARE\Microsoft\Windows NA\CurrentVersion\Perflib\009" and I was forced to close it down using the Task Manager and could not save any of the results



DDS Log:

DDS (Ver_10-11-08.01) - NTFSx86
Run by Brook at 12:37:22.20 on Mon 11/08/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.741 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\System32\bgsvcgen.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atwtusb.exe
C:\Windows\system32\atwtusb.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Brook\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search - ?p=ZRxdm429YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\brook\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\brook\appdata\roaming\mozilla\firefox\profiles\xfs1eu84.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\brook\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\brook\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\brook\documents\sparkplay media\sparkplayer (beta)\npSparkPlayerNS.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-21 218592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070913.004\IDSvix86.sys [2007-9-18 180272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-8-22 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200]
S4 atashost;WebEx Service Host for Support Center;"c:\windows\system32\atashost.exe" --> c:\windows\system32\atashost.exe [?]
S4 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iWinGamesInstaller.exe [2008-6-15 78104]

=============== Created Last 30 ================

2010-11-08 16:24:17 -------- d-----w- c:\program files\Runtime Software
2010-11-08 16:16:10 -------- d-----w- c:\program files\Cobian Backup 10
2010-11-07 03:38:17 -------- d--h--w- C:\$AVG
2010-11-07 02:06:12 -------- d-----w- c:\users\brook\appdata\roaming\AVG10
2010-11-07 02:02:53 -------- d--h--w- c:\progra~2\Common Files
2010-11-07 01:58:44 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-07 01:58:44 -------- d-----w- c:\progra~2\AVG10
2010-11-07 01:58:08 -------- d-----w- c:\program files\AVG
2010-11-07 01:51:32 -------- d-----w- c:\progra~2\MFAData
2010-10-27 22:37:37 -------- dc----w- c:\progra~2\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-10-27 21:06:39 -------- d-----w- c:\users\brook\appdata\roaming\SUPERAntiSpyware.com
2010-10-27 21:06:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-27 19:49:49 388096 ----a-r- c:\users\brook\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-27 19:49:49 -------- d-----w- c:\program files\Trend Micro
2010-10-20 21:27:07 -------- d-----w- c:\users\brook\appdata\local\Thunderbird
2010-10-20 03:48:18 204 ----a-w- c:\users\brook\appdata\roaming\19427.bat
2010-10-18 14:56:32 -------- d-----w- c:\windows\system32\EventProviders
2010-10-17 20:37:23 1409 ----a-w- c:\windows\QTFont.for
2010-10-12 06:04:58 6084944 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4e33a3c5-726c-4e29-bb3d-e443901fb82d}\mpengine.dll
2010-10-10 05:52:56 -------- d-----w- c:\users\brook\appdata\roaming\Oberon Media
2010-10-10 05:52:53 -------- d-----w- c:\progra~2\Oberon Media

==================== Find3M ====================

2010-08-17 13:32:33 126464 ----a-w- c:\windows\system32\spoolsv.exe
2007-10-09 02:24:36 774144 ----a-w- c:\program files\RngInterstitial.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: SAMSUNG_ rev.CP10 -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\0000005a -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD320KJ#4&4d7cbb2&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK

Registry trace:
called modules: ntkrnlpa.exe AVGIDSDriver.Sys avgmfx86.sys PCTCore.sys hal.dll
c:\windows\system32\drivers\AVGIDSDriver.Sys AVG Technologies CZ, s.r.o. AVG IDS
c:\windows\system32\drivers\avgmfx86.sys AVG Technologies CZ, s.r.o. AVG Internet Security
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite

============= FINISH: 12:42:35.30 ===============

EDIT: Topics and posts merged ~BP

Attached Files


Edited by Budapest, 08 November 2010 - 04:22 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 12 November 2010 - 06:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

Normally, I'd ask for logs at this point, but you obviously can't create them. Please just reply to this post and let me know a ) If you have a Windows CD, b ) if you have a USB flash drive we can use and c ) if you have access to a computer to help us create a bootable disk.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Residual

Residual
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 12 November 2010 - 09:48 PM

Hello, etavares.
I'm still here!
The wait wasn't a problem, I'm just sorry I made poor Budapest merge my posts so many times, ha. The original issue that the merged post is now titled under has been solved - the reason the computer wouldn't start was because of an error with my disk burner and not anything to do with inner workings, so that's all fine now. I can now access my main page and the internet.

My problem still lies in the browser redirecting and the Host Process error I mentioned above. I've ran Malwarebytes, Ad-aware, Spybot, SUPERAntiSpyware and AVG 2011 Free Edition and they found a few Trojans and Tracking cookies early on but now they aren't finding anything, and the problem persists, though hasn't gotten any better or worse since when I first posted.

Good news! I found that running the GMER scan in Safe Mode worked, so I have the results of that attached to this reply.

As for your questions:
A) No, I don't have a windows disk
B ) Yes, I have a USB flash drive
C) Yes, my computer can now as well as my roomate's laptop

Edited by Residual, 12 November 2010 - 09:48 PM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 13 November 2010 - 07:14 AM

Good news!

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT
  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


Please also attach the GMER log, it wasn't in the previous post. Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Residual

Residual
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 13 November 2010 - 01:44 PM

Sorry about the GMER attachment, I must have forgotten the 'Attach File' button ha. It should be there now


Copied and Pasted below!

Nevermind, see reply below.

Attached Files

  • Attached File  ark.txt   4.65KB   2 downloads

Edited by Residual, 13 November 2010 - 02:46 PM.


#6 Residual

Residual
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 13 November 2010 - 02:10 PM

Ok I'm having the hardest time pasting these logs -.-' It wont post in its entirety and isn't registering any of the edits, soo...is it all right if I attach those as well?
If so, they're included below, if not...I could continue to mess with it later on and see if it works then heh


OTL logfile created on: 11/13/2010 12:39:27 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Brook\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 289.31 Gb Total Space | 217.61 Gb Free Space | 75.22% Space Free | Partition Type: NTFS
Drive D: | 8.78 Gb Total Space | 1.37 Gb Free Space | 15.54% Space Free | Partition Type: NTFS

Computer Name: BROOK-PC | User Name: Brook | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/13 12:38:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Brook\Downloads\OTL.exe
PRC - [2010/10/28 19:25:56 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/10/28 19:25:55 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/11 11:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/10/11 11:58:12 | 000,725,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/10/06 16:24:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/10/06 16:24:36 | 001,065,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2010/10/06 16:24:08 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2010/10/06 16:24:08 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/09/15 04:29:10 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2010/09/10 00:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/09/07 02:50:22 | 001,047,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2010/05/14 10:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/07/22 02:21:19 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/02/18 08:22:42 | 000,368,288 | ---- | M] () -- C:\Windows\System32\atwtusb.exe
PRC - [2008/01/19 02:33:39 | 000,244,224 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wisptis.exe
PRC - [2008/01/15 10:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- C:\Windows\System32\bgsvcgen.exe


========== Modules (SafeList) ==========

MOD - [2010/11/13 12:38:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Brook\Downloads\OTL.exe
MOD - [2008/01/19 02:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Windows\System32\atashost.exe -- (atashost)
SRV - [2010/10/11 11:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/09/10 00:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/05/14 10:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/08/05 21:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/22 02:21:19 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/06/15 17:00:36 | 000,078,104 | ---- | M] (iWin Inc.) [Disabled | Stopped] -- C:\Program Files\iWin Games\iWinGamesInstaller.exe -- (iWinGamesInstaller)
SRV - [2008/02/18 08:22:42 | 000,368,288 | ---- | M] () [Auto | Running] -- C:\Windows\System32\atwtusb.exe -- (WTService)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/28 19:51:10 | 000,583,048 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)
SRV - [2007/11/01 20:28:55 | 001,252,232 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\Windows\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2007/01/13 18:11:06 | 000,080,504 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- c:\Program Files\Norton Internet Security\isPwdSvc.exe -- (ISPwdSvc)
SRV - [2007/01/12 14:40:58 | 000,049,248 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost)
SRV - [2007/01/09 16:59:32 | 000,108,648 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice Ex)
SRV - [2007/01/09 16:59:32 | 000,108,648 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2007/01/09 16:59:32 | 000,108,648 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2007/01/09 16:59:32 | 000,108,648 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2007/01/04 19:19:28 | 000,047,712 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- (SymAppCore)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Brook\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS -- (SASENUM)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\gswouq.sys -- (hghit)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2010/09/13 15:27:40 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 02:49:00 | 000,298,448 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/07 02:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 02:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/09/07 02:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 20:42:38 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 20:42:38 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/08/19 20:42:36 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/06/21 16:39:22 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/08/05 21:48:42 | 000,054,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fssfltr.sys -- (fssfltr)
DRV - [2008/05/22 14:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/08 04:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 04:04:16 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2008/05/08 04:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2008/01/15 18:19:04 | 002,047,576 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/11/16 17:22:16 | 000,005,504 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\walvhid.sys -- (vhidmini)
DRV - [2007/10/18 06:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/09/13 09:49:47 | 000,180,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Symantec\Definitions\SymcData\idsdefs\20070913.004\IDSvix86.sys -- (IDSvix86)
DRV - [2007/07/19 21:35:14 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2007/05/04 01:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/04/23 19:21:21 | 000,115,000 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/03/19 08:58:50 | 000,101,672 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/01/09 09:32:14 | 000,191,544 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/01/09 09:32:14 | 000,145,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SYMFW.SYS -- (SYMFW)
DRV - [2007/01/09 09:32:14 | 000,040,120 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
DRV - [2007/01/09 09:32:14 | 000,038,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SYMNDISV.SYS -- (SYMNDISV)
DRV - [2007/01/09 09:32:14 | 000,027,576 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/01/09 09:32:14 | 000,012,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 04:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 04:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/02/20 19:17:40 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv)
DRV - [2005/12/12 12:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.yahoo.com/ [binary data]
IE - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p="
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.1
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.5.1
FF - prefs.js..extensions.enabledItems: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9}:2.6.4
FF - prefs.js..extensions.enabledItems: {5F590AA2-1221-4113-A6F4-A4BB62414FAC}:0.45.6.20100202.1
FF - prefs.js..extensions.enabledItems: screencaptureelite@plugin:1.0.0.12
FF - prefs.js..extensions.enabledItems: nosquint@urandom.ca:2.0.3
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1151


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/11/06 20:58:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/28 19:25:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/28 19:25:58 | 000,000,000 | ---D | M]

[2010/10/20 16:27:09 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Extensions
[2010/10/20 16:27:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brook\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/11/12 21:10:40 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions
[2010/07/22 15:20:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2010/10/20 20:53:53 | 000,000,000 | ---D | M] (SmoothWheel (mozdev.org)) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
[2008/06/01 05:12:32 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/11/11 21:17:33 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/07/23 17:54:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{ca0849e8-2c76-42ae-9abe-34e14d337acf}
[2010/11/06 21:40:40 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/10/13 21:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/10/20 19:25:02 | 000,000,000 | ---D | M] (Redirect Remover) -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
[2010/10/20 18:58:56 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\ffa921ffc7cd5ea46d5ff44cd0cc97d9@button.codefisher.org
[2010/10/22 14:28:21 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\jid0-TVvqJX8JyRxA6V9SmQiarr1XdL8@jetpack
[2010/10/20 21:07:33 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\nosquint@urandom.ca
[2010/10/20 20:59:53 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\screencaptureelite@plugin
[2010/10/20 19:39:52 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\smartbookmarksbar@remy.juteau
[2010/11/11 21:17:33 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\extensions\staged-xpis
[2010/11/12 21:10:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/22 13:08:43 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/10/20 11:24:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2010/09/24 01:36:43 | 000,001,600 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\WebSearchober55770326.xml

O1 HOSTS File: ([2010/10/20 23:29:44 | 000,000,698 | ---- | M]) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll (Symantec Corporation)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Brook\Downloads\Pictures\PHOTOfunSTUDIO\20101018\Puma2.JPG
O24 - Desktop BackupWallPaper: C:\Users\Brook\Downloads\Pictures\PHOTOfunSTUDIO\20101018\Puma2.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/23 18:59:56 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk - C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE - File not found
MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PHOTOfunSTUDIO HD Edition.lnk - C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe - (Panasonic Corporation)
MsConfig - StartUpFolder: C:^Users^Brook^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Mopy Points Collector.lnk - C:\MOPYFISH\GETPOINT.EXE - File not found
MsConfig - StartUpFolder: C:^Users^Brook^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Picture Mover.lnk - C:\Program Files\Snapfish Picture Mover\SnapfishPictureMover.exe - File not found
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: ArcSoft Connection Service - hkey= - key= - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe File not found
MsConfig - StartUpReg: ccApp - hkey= - key= - c:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
MsConfig - StartUpReg: EasyLinkAdvisor - hkey= - key= - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe File not found
MsConfig - StartUpReg: ehTray.exe - hkey= - key= - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
MsConfig - StartUpReg: HPAdvisor - hkey= - key= - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe (Hewlett-Packard)
MsConfig - StartUpReg: hpsysdrv - hkey= - key= - c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: KBD - hkey= - key= - C:\hp\KBD\KbdStub.exe ()
MsConfig - StartUpReg: Livestream Procaster - hkey= - key= - C:\Program Files\Livestream Procaster\Procaster.exe ()
MsConfig - StartUpReg: MacrokeyManager - hkey= - key= - File not found
MsConfig - StartUpReg: Malwarebytes Anti-Malware (reboot) - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
MsConfig - StartUpReg: My Web Search Bar Search Scope Monitor - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\3.bin\m3SrchMn.exe File not found
MsConfig - StartUpReg: MyWebSearch Email Plugin - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe File not found
MsConfig - StartUpReg: MyWebSearch Plugin - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL File not found
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - File not found
MsConfig - StartUpReg: OsdMaestro - hkey= - key= - C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: RtHDVCpl - hkey= - key= - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
MsConfig - StartUpReg: Search Protection - hkey= - key= - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
MsConfig - StartUpReg: SelectRebates - hkey= - key= - C:\Program Files\SelectRebates\SelectRebates.exe File not found
MsConfig - StartUpReg: Sidebar - hkey= - key= - C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
MsConfig - StartUpReg: SpybotSD TeaTimer - hkey= - key= - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: Symantec PIF AlertEng - hkey= - key= - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: Ulead AutoDetector v2 - hkey= - key= - C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe File not found
MsConfig - StartUpReg: Windows Defender - hkey= - key= - File not found
MsConfig - StartUpReg: WindowsWelcomeCenter - hkey= - key= - File not found
MsConfig - StartUpReg: WMPNSCFG - hkey= - key= - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
MsConfig - StartUpReg: YMailAdvisor - hkey= - key= - C:\Program Files\Yahoo!\Common\YMailAdvisor.exe (Yahoo! Inc.)
MsConfig - StartUpReg: YSearchProtection - hkey= - key= - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
MsConfig - StartUpReg: zzz_ImInstaller_IncrediMail - hkey= - key= - C:\Users\Brook\AppData\Local\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe File not found
MsConfig - State: "startup" - 2
MsConfig - State: "services" - 2

Drivers32: aux - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.imaadpcm - C:\Windows\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\Windows\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.i420 - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.iyuv - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.yvu9 - C:\Windows\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2010/11/08 11:24:17 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2010/11/08 11:16:10 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2010/11/06 22:38:17 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/11/06 21:06:12 | 000,000,000 | ---D | C] -- C:\Users\Brook\AppData\Roaming\AVG10
[2010/11/06 21:02:53 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2010/11/06 20:58:44 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2010/11/06 20:58:44 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2010/11/06 20:58:08 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/11/06 20:51:32 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2010/10/27 17:37:37 | 000,000,000 | ---D | C] -- C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097}
[2010/10/27 16:06:39 | 000,000,000 | ---D | C] -- C:\Users\Brook\AppData\Roaming\SUPERAntiSpyware.com
[2010/10/27 16:06:27 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/10/27 15:17:16 | 000,000,000 | ---D | C] -- C:\Users\Brook\AppData\Roaming\InstallShield
[2010/10/27 14:49:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/10/20 16:27:07 | 000,000,000 | ---D | C] -- C:\Users\Brook\AppData\Roaming\Thunderbird
[2010/10/20 16:27:07 | 000,000,000 | ---D | C] -- C:\Users\Brook\AppData\Local\Thunderbird
[2010/10/18 09:56:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/10/16 13:26:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2007/10/08 21:24:48 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/13 12:45:00 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{63D7DC33-B3F3-4061-B53F-267DC43412B2}.job
[2010/11/13 12:35:55 | 099,138,313 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2010/11/13 12:34:51 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/11/13 12:34:51 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/11/13 12:29:45 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/13 12:29:45 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/13 12:29:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/11/13 12:29:24 | 125,665,049 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/11/12 23:25:42 | 000,054,156 | -H-- | M] () -- C:\Windows\QTFont.qfn
[2010/11/12 23:25:30 | 000,002,098 | -HS- | M] () -- C:\Windows\System32\KGyGaAvL.sys
[2010/11/11 17:18:45 | 000,431,920 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/11/09 17:47:52 | 000,018,432 | ---- | M] () -- C:\Users\Brook\Documents\cliche rant.wps
[2010/11/09 17:47:52 | 000,017,716 | ---- | M] () -- C:\Users\Brook\AppData\Roaming\wklnhst.dat
[2010/11/08 18:17:59 | 000,002,305 | ---- | M] () -- C:\Users\Brook\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2010/11/08 12:33:51 | 000,000,000 | ---- | M] () -- C:\Users\Brook\defogger_reenable
[2010/11/08 11:24:21 | 000,000,938 | ---- | M] () -- C:\Users\Brook\Application Data\Microsoft\Internet Explorer\Quick Launch\DriveImage XML.lnk
[2010/11/08 11:24:21 | 000,000,914 | ---- | M] () -- C:\Users\Public\Desktop\DriveImage XML.lnk
[2010/11/07 15:39:01 | 000,000,362 | ---- | M] () -- C:\Windows\tasks\PerfectOptimizer_home.job
[2010/11/06 21:02:25 | 000,000,832 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2010/10/27 17:23:58 | 000,002,523 | ---- | M] () -- C:\Users\Brook\Desktop\HiJackThis.lnk
[2010/10/27 16:06:37 | 000,001,802 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/10/27 14:19:17 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/20 23:29:44 | 000,000,698 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS
[2010/10/20 00:29:23 | 000,000,006 | ---- | M] () -- C:\Users\Brook\AppData\Roaming\completescan
[2010/10/20 00:15:03 | 000,000,010 | ---- | M] () -- C:\Users\Brook\AppData\Roaming\install
[2010/10/19 22:48:18 | 000,000,204 | ---- | M] () -- C:\Users\Brook\AppData\Roaming\19427.bat
[2010/10/18 10:47:58 | 000,000,945 | ---- | M] () -- C:\Users\Brook\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/10/17 15:37:23 | 000,001,409 | ---- | M] () -- C:\Windows\QTFont.for
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/13 12:35:55 | 099,138,313 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2010/11/09 17:47:52 | 000,018,432 | ---- | C] () -- C:\Users\Brook\Documents\cliche rant.wps
[2010/11/08 12:33:51 | 000,000,000 | ---- | C] () -- C:\Users\Brook\defogger_reenable
[2010/11/08 11:24:21 | 000,000,938 | ---- | C] () -- C:\Users\Brook\Application Data\Microsoft\Internet Explorer\Quick Launch\DriveImage XML.lnk
[2010/11/08 11:24:21 | 000,000,914 | ---- | C] () -- C:\Users\Public\Desktop\DriveImage XML.lnk
[2010/11/06 21:02:25 | 000,000,832 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2010/10/27 16:06:37 | 000,001,802 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/10/27 14:49:49 | 000,002,523 | ---- | C] () -- C:\Users\Brook\Desktop\HiJackThis.lnk
[2010/10/20 00:29:23 | 000,000,006 | ---- | C] () -- C:\Users\Brook\AppData\Roaming\completescan
[2010/10/20 00:15:03 | 000,000,010 | ---- | C] () -- C:\Users\Brook\AppData\Roaming\install
[2010/10/19 22:48:18 | 000,000,204 | ---- | C] () -- C:\Users\Brook\AppData\Roaming\19427.bat
[2010/10/17 15:37:23 | 000,054,156 | -H-- | C] () -- C:\Windows\QTFont.qfn
[2010/10/17 15:37:23 | 000,001,409 | ---- | C] () -- C:\Windows\QTFont.for
[2010/09/29 15:55:34 | 000,180,224 | ---- | C] () -- C:\Windows\System32\ATWTINK.DLL
[2010/09/29 15:55:32 | 000,008,798 | ---- | C] () -- C:\Windows\System32\Vista.ini
[2010/09/29 15:55:32 | 000,008,467 | ---- | C] () -- C:\Windows\System32\XP_2000.ini
[2010/09/29 15:55:32 | 000,000,574 | ---- | C] () -- C:\Windows\System32\MKProfile.ini
[2010/09/29 15:55:31 | 000,006,991 | ---- | C] () -- C:\Windows\aiptbl.ini
[2010/04/17 14:35:08 | 000,010,466 | -HS- | C] () -- C:\Users\Brook\AppData\Local\B5XE5d7g
[2010/04/17 14:35:08 | 000,010,466 | -HS- | C] () -- C:\ProgramData\B5XE5d7g
[2010/04/01 02:15:08 | 000,009,334 | -HS- | C] () -- C:\Users\Brook\AppData\Local\8kUL5H5g
[2010/04/01 02:15:08 | 000,009,334 | -HS- | C] () -- C:\ProgramData\8kUL5H5g
[2010/03/05 23:33:41 | 000,007,070 | -HS- | C] () -- C:\Users\Brook\AppData\Local\nO4L
[2010/03/04 22:56:07 | 000,008,686 | -HS- | C] () -- C:\Users\Brook\AppData\Local\B7jiOM
[2010/02/16 13:45:58 | 000,010,086 | -HS- | C] () -- C:\Users\Brook\AppData\Local\qKbiKFB76
[2010/02/05 18:54:46 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/09/10 22:42:31 | 000,000,109 | ---- | C] () -- C:\Windows\wininit.ini
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/02/13 03:08:39 | 000,000,294 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2007/10/19 19:56:16 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2007/10/18 04:02:34 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2007/10/11 13:22:14 | 000,000,112 | ---- | C] () -- C:\Users\Brook\AppData\Local\DownloadLog.txt
[2007/08/21 14:38:59 | 000,001,356 | ---- | C] () -- C:\Users\Brook\AppData\Local\d3d9caps.dat
[2007/08/20 00:45:59 | 000,307,200 | ---- | C] () -- C:\Windows\System32\BCGSkinDownloader.dll
[2007/07/25 01:08:53 | 000,000,030 | ---- | C] () -- C:\Windows\mopyfish.ini
[2007/07/20 15:51:29 | 000,007,168 | ---- | C] () -- C:\Users\Brook\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/19 23:21:15 | 000,017,716 | ---- | C] () -- C:\Users\Brook\AppData\Roaming\wklnhst.dat
[2007/07/19 21:00:23 | 000,002,098 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2007/04/23 18:45:52 | 000,003,920 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2007/04/23 18:25:13 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom24.dll
[2007/04/23 18:25:13 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes24.dll
[2007/03/06 03:47:24 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/01/12 09:07:48 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2007/01/12 09:07:48 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2007/07/19 21:59:44 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\acccore
[2009/09/08 14:24:26 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Auslogics
[2010/11/06 21:06:12 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\AVG10
[2009/12/31 03:21:15 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Azureus
[2008/05/14 00:51:12 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\BloodTies
[2008/06/13 11:41:22 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Flood Light Games
[2007/12/10 15:12:25 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\ForgottenRiddles
[2008/05/09 13:27:04 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Friday's games
[2010/06/29 15:05:17 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\FUJIFILM
[2010/07/03 21:58:00 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\GetRightToGo
[2008/06/04 12:12:21 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Gogii Games
[2008/02/03 00:16:01 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Image Zone Express
[2008/06/15 17:00:38 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\iWinArcade
[2007/10/25 01:06:02 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Magic Academy
[2008/12/01 15:07:44 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\MSNInstaller
[2009/08/08 19:26:34 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\muvee Technologies
[2008/05/16 11:10:32 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\MysteryStudio
[2007/10/26 20:45:58 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Mysteryville2
[2010/10/27 15:19:09 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Oberon Media
[2010/02/10 21:06:04 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Panasonic
[2008/10/15 00:32:16 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\PeerNetworking
[2008/05/30 09:47:16 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\PlayFirst
[2008/05/20 12:32:16 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Pogo Games
[2007/07/19 20:48:21 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Printer Info Cache
[2008/05/07 14:02:48 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Restorer
[2009/02/13 18:34:07 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Skinux
[2007/07/28 14:39:42 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Snapfish
[2008/05/01 21:25:46 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\SprillBermudeEng
[2007/07/19 23:21:18 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Template
[2010/10/20 16:27:08 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\Thunderbird
[2009/02/03 03:30:59 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\TMInc
[2007/07/24 11:06:31 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\WildTangent
[2008/07/06 23:05:47 | 000,000,000 | ---D | M] -- C:\Users\Brook\AppData\Roaming\WinBatch
[2010/11/07 15:39:01 | 000,000,362 | ---- | M] () -- C:\Windows\Tasks\PerfectOptimizer_home.job
[2010/11/13 12:43:23 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/11/13 12:45:00 | 000,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{63D7DC33-B3F3-4061-B53F-267DC43412B2}.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/19 02:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/19 02:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\system32\*.sys /90 >
[2010/11/12 23:25:30 | 000,002,098 | -HS- | M] () -- C:\Windows\System32\KGyGaAvL.sys

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %SYSTEMDRIVE%\*.* >
[2009/05/21 00:07:40 | 000,000,689 | ---- | M] () -- C:\aaw7boot.log
[2007/04/23 18:59:56 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2007/04/23 19:12:30 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/07/25 01:08:47 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/01/07 11:03:40 | 000,000,125 | ---- | M] () -- C:\ioSpecial.ini
[2010/01/14 12:50:20 | 000,001,636 | -H-- | M] () -- C:\IPH.PH
[2007/07/25 01:08:47 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/11/13 12:29:24 | 2325,553,152 | -HS- | M] () -- C:\pagefile.sys
[2008/07/20 23:31:07 | 000,000,477 | ---- | M] () -- C:\RHDSetup.log
[2007/07/19 21:54:11 | 000,000,152 | ---- | M] () -- C:\YServer.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/01/19 02:34:28 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL
[2006/11/02 07:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2006/10/26 21:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:AC707B50
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:C22674B6
@Alternate Data Stream - 1605 bytes -> C:\Users\Brook\Documents\RE_ Fw_ PLEEEEEEEEEZ send this back, you'll see why.eml:OECustomProperty
@Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:8B2A99C5
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:80ED6380
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:FA42DF8E
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:D055FC10
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:0A73A758
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:E55CE2D1
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:9398DBB4
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:7290F122
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:D31BE97C
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:1A6AFE3D
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E5294695
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:21F28B00
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:FB384C06
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:DE47A3DA
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:85C3B823
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:48FEA089
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:13B137AF
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:9ACB70D7
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:101708D3
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:699C6EB5
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:B894C266
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:A7DA2BCD
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:580E04D8
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:2ABEB9EB
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:F01E7F17
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:4673E9EA
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:EC2381A4
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:0AC32449
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:A73EAFFB
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:0D31DA45
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:EC0A74A1
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:598E0FFA
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:F65733F1
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:7A0EFE63
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:E2CD81E1
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:E32966C0
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:BD9F7E4E
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:90B52091
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:E8BDF4DE
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:FC4EA67C
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:11201333
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:A296A63F
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:3214A283

< End of report >

Attached Files


Edited by etavares, 13 November 2010 - 04:40 PM.
Paste logs. Some malware interferes with pasting logs.


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 13 November 2010 - 04:58 PM

Hello, Residual.
I see you have Norton and AVG both installed, but are only running AVG. That's good as having two antiviruses running at the same time is really, really bad for a variety of reasons.


Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

I see you have AdThis and Askbar Firefox add-ons/toolbars installed. I recommend you uninstall both.

For example, see AddThis' privacy policy where it collects and shares your data.



Step 2

ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. We can reinstall it when we're done with CF. Please let me know if you do uninstall it.

Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 Residual

Residual
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 14 November 2010 - 01:02 PM

1) I don’t have any sites in my ‘Trusted Zone’
2) I don’t recall installing AddThis or Askbar and couldn’t find either in my add-ons list or in my computer files, so I’m not sure what to do there…
3) I uninstalled AVG before running the scan. Also, Norton came with the computer, but it was never purchased or run. When I opened ComboFix is kept telling me it was there and may cause problems, but when I tried to uninstall it, it said I needed the CD to do so, which I don’t have. It still ran, but I’m not sure if Norton interfered any
4) Ok, so when I clicked the download link, the only option was to run the program, not ‘Save as’. I clicked Run, hoping it’d still give me a save option, and it didn’t, it just went right into the rest of the download and then the scan, so I couldn’t save it as etavaresCF. I didn’t know if I should have closed it and tried again or what, so I just let it go. Also, nothing about Windows Recovery Console came up.

5) ComboFix Log:


ComboFix 10-11-13.01 - Brook 11/14/2010 12:07:06.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.1167 [GMT -5:00]
Running from: c:\users\Brook\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\1Ay566poP.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\2kx4Boba.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\2nABy54xl.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\3N14VSt.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\3R4w4EBud.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\422D06.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\44S606A63.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\4613MOj87.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\5175D.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\6ebFlEh.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\AnNy5Xa5.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\b608y.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\gBYQ8.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\ic072e.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\j6Yk1aj.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\lNk77XBk.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\m2vPet.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\ooX45ykx.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\UYFwny.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\X88bYJX7.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\Xke4Jkxv.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\XmJ33.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\Y0tt15Ur.jpg
c:\users\Brook\AppData\Local\Microsoft\Windows\Temporary Internet Files\yjm6XaMM.jpg
c:\users\Brook\AppData\Roaming\completescan
c:\users\Brook\AppData\Roaming\install
c:\users\Brook\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_iWinGamesInstaller


((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 17:18 . 2010-11-14 17:22 -------- d-----w- c:\users\Brook\AppData\Local\temp
2010-11-14 17:18 . 2010-11-14 17:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-08 16:24 . 2010-11-08 16:24 -------- d-----w- c:\program files\Runtime Software
2010-11-08 16:16 . 2010-11-14 02:37 -------- d-----w- c:\program files\Cobian Backup 10
2010-11-07 02:06 . 2010-11-07 02:06 -------- d-----w- c:\users\Brook\AppData\Roaming\AVG10
2010-11-07 02:02 . 2010-11-07 02:02 -------- d--h--w- c:\programdata\Common Files
2010-11-07 01:58 . 2010-11-14 02:19 -------- d-----w- c:\programdata\AVG10
2010-11-07 01:58 . 2010-11-07 01:58 -------- d-----w- c:\program files\AVG
2010-11-07 01:51 . 2010-11-07 01:58 -------- d-----w- c:\programdata\MFAData
2010-10-27 22:37 . 2010-10-27 22:37 -------- dc----w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-10-27 21:06 . 2010-10-27 21:06 -------- d-----w- c:\users\Brook\AppData\Roaming\SUPERAntiSpyware.com
2010-10-27 21:06 . 2010-10-28 01:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-27 20:17 . 2010-10-27 20:17 -------- d-----w- c:\users\Brook\AppData\Roaming\InstallShield
2010-10-27 19:49 . 2010-10-27 19:49 388096 ----a-r- c:\users\Brook\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-27 19:49 . 2010-10-27 19:49 -------- d-----w- c:\program files\Trend Micro
2010-10-20 21:27 . 2010-10-20 21:27 -------- d-----w- c:\users\Brook\AppData\Roaming\Thunderbird
2010-10-20 21:27 . 2010-10-20 21:27 -------- d-----w- c:\users\Brook\AppData\Local\Thunderbird
2010-10-20 03:48 . 2010-10-20 03:48 204 ----a-w- c:\users\Brook\AppData\Roaming\19427.bat
2010-10-18 14:56 . 2010-10-18 14:56 -------- d-----w- c:\windows\system32\EventProviders
2010-10-17 20:37 . 2010-10-17 20:37 1409 ----a-w- c:\windows\QTFont.for
2010-10-16 18:26 . 2010-10-16 18:26 -------- d-----w- c:\programdata\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 19:36 . 2010-09-15 19:36 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-09-09 22:52 . 2010-10-12 06:04 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4E33A3C5-726C-4E29-BB3D-E443901FB82D}\mpengine.dll
2010-08-17 13:32 . 2010-09-15 16:19 126464 ----a-w- c:\windows\system32\spoolsv.exe
2007-10-09 02:24 . 2007-10-09 02:24 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PHOTOfunSTUDIO HD Edition.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PHOTOfunSTUDIO HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO HD Edition.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Brook^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Mopy Points Collector.lnk]
path=c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mopy Points Collector.lnk
backup=c:\windows\pss\Mopy Points Collector.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Brook^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Picture Mover.lnk]
path=c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Picture Mover.lnk
backup=c:\windows\pss\Snapfish Picture Mover.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-01-09 21:59 115816 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-03-13 00:44 1773568 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2006-09-28 13:42 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 16:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2010-04-08 18:38 6690080 ----a-w- c:\program files\Livestream Procaster\Procaster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacrokeyManager]
2008-01-22 14:50 1969824 ----a-w- c:\windows\System32\WTMKM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-22 19:49 13539872 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-22 19:49 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 10:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 04:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 15:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-01-07 16:08 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2007-11-29 00:51 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-04-23 23:58 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2008-01-19 07:36 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R0 hghit;hghit;c:\windows\System32\drivers\gswouq.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SASENUM;SASENUM;c:\users\Brook\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2007-01-09 38200]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-06-21 218592]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070913.004\IDSvix86.sys [2007-09-13 180272]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-02-18 368288]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-14 c:\windows\Tasks\User_Feed_Synchronization-{63D7DC33-B3F3-4061-B53F-267DC43412B2}.job
- c:\windows\system32\msfeedssync.exe [2008-06-06 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Brook\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\Brook\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\Brook\Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSConfigStartUp-EasyLinkAdvisor - c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\3.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
MSConfigStartUp-Ulead AutoDetector v2 - c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-zzz_ImInstaller_IncrediMail - c:\users\Brook\AppData\Local\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe
AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 12:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\SEPB0EF.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: SAMSUNG_ rev.CP10 -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x87CACEC5]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8649f872; SUB DWORD [EBP-0x4], 0x8649f12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82AD105F] -> \Device\Harddisk0\DR0[0x86479178]
3 CLASSPNP[0x885A1745] -> ntkrnlpa!IofCallDriver[0x82AD105F] -> [0x86479A40]
5 PCTCore[0x88012EAE] -> ntkrnlpa!IofCallDriver[0x82AD105F] -> [0x84B8F5C0]
7 acpi[0x806426A0] -> ntkrnlpa!IofCallDriver[0x82AD105F] -> [0x85543838]
[0x87D392F8] -> IRP_MJ_CREATE -> 0x87CACEC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\00000056 -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD320KJ#4&4d7cbb2&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-11-14 12:35:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-14 17:34

Pre-Run: 240,605,835,264 bytes free
Post-Run: 240,737,280,000 bytes free

- - End Of File - - 04D365C20DB12B224B23420DE8D1681B


6) Okay, after the scan it restarted the computer, then gave me the log. I then tried to open Firefox to come back and respond to you, but it told me the action failed because the Firefox registry key was marked for deletion. I tried Internet Explorer and got the same message. I restarted in Safe Mode with Networking and it let me on…and that’s where I am now.

I feel like I did something very wrong, and I’m hoping that isn’t the case…

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 14 November 2010 - 01:33 PM

Hello, Residual.

You didn't do anything wrong, but you still are infected. Before we run CF again, let's run TDSSKiller.

  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Residual

Residual
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 14 November 2010 - 01:45 PM

Oh good. Yay, internet is back!


TDSS Log:

2010/11/14 13:41:00.0093 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/14 13:41:00.0093 ================================================================================
2010/11/14 13:41:00.0093 SystemInfo:
2010/11/14 13:41:00.0093
2010/11/14 13:41:00.0093 OS Version: 6.0.6001 ServicePack: 1.0
2010/11/14 13:41:00.0093 Product type: Workstation
2010/11/14 13:41:00.0093 ComputerName: BROOK-PC
2010/11/14 13:41:00.0093 UserName: Brook
2010/11/14 13:41:00.0093 Windows directory: C:\Windows
2010/11/14 13:41:00.0093 System windows directory: C:\Windows
2010/11/14 13:41:00.0093 Processor architecture: Intel x86
2010/11/14 13:41:00.0093 Number of processors: 2
2010/11/14 13:41:00.0093 Page size: 0x1000
2010/11/14 13:41:00.0093 Boot type: Safe boot with network
2010/11/14 13:41:00.0093 ================================================================================
2010/11/14 13:41:00.0499 Initialize success
2010/11/14 13:41:07.0675 ================================================================================
2010/11/14 13:41:07.0675 Scan started
2010/11/14 13:41:07.0675 Mode: Manual;
2010/11/14 13:41:07.0675 ================================================================================
2010/11/14 13:41:08.0611 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2010/11/14 13:41:08.0658 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/11/14 13:41:08.0689 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/11/14 13:41:08.0736 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/11/14 13:41:08.0767 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/11/14 13:41:08.0861 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
2010/11/14 13:41:08.0939 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
2010/11/14 13:41:09.0032 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/11/14 13:41:09.0079 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/11/14 13:41:09.0110 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2010/11/14 13:41:09.0141 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/11/14 13:41:09.0173 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2010/11/14 13:41:09.0235 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/11/14 13:41:09.0266 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/11/14 13:41:09.0344 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/11/14 13:41:09.0391 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/11/14 13:41:09.0453 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/11/14 13:41:09.0500 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2010/11/14 13:41:09.0594 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/11/14 13:41:09.0719 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/11/14 13:41:09.0781 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/11/14 13:41:09.0797 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/11/14 13:41:09.0859 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/11/14 13:41:09.0890 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/11/14 13:41:09.0921 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/11/14 13:41:09.0953 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/11/14 13:41:09.0999 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/11/14 13:41:10.0140 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/11/14 13:41:10.0218 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\Windows\system32\drivers\cdrbsdrv.sys
2010/11/14 13:41:10.0265 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2010/11/14 13:41:10.0296 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/11/14 13:41:10.0327 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2010/11/14 13:41:10.0374 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2010/11/14 13:41:10.0421 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2010/11/14 13:41:10.0452 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/11/14 13:41:10.0499 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/11/14 13:41:10.0561 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2010/11/14 13:41:10.0655 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2010/11/14 13:41:10.0701 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2010/11/14 13:41:10.0764 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2010/11/14 13:41:10.0842 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2010/11/14 13:41:10.0920 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/11/14 13:41:10.0967 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2010/11/14 13:41:11.0013 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/11/14 13:41:11.0123 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2010/11/14 13:41:11.0216 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/11/14 13:41:11.0325 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2010/11/14 13:41:11.0372 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2010/11/14 13:41:11.0403 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/11/14 13:41:11.0466 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/11/14 13:41:11.0513 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/11/14 13:41:11.0544 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/11/14 13:41:11.0591 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2010/11/14 13:41:11.0653 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\Windows\system32\DRIVERS\fssfltr.sys
2010/11/14 13:41:11.0684 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/11/14 13:41:11.0715 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/11/14 13:41:11.0809 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/11/14 13:41:11.0840 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/11/14 13:41:11.0918 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/11/14 13:41:11.0934 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/11/14 13:41:11.0996 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
2010/11/14 13:41:12.0043 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/11/14 13:41:12.0152 HSF_DP (88749fbf8beb18c90e7d6626c8c1910b) C:\Windows\system32\DRIVERS\HSX_DP.sys
2010/11/14 13:41:12.0215 HSXHWBS2 (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2010/11/14 13:41:12.0261 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
2010/11/14 13:41:12.0293 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/11/14 13:41:12.0355 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/11/14 13:41:12.0433 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/11/14 13:41:12.0573 IDSvix86 (9e453b17d70fc2dd332510033a3c0499) C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070913.004\IDSvix86.sys
2010/11/14 13:41:12.0620 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/11/14 13:41:12.0776 IntcAzAudAddService (edc37b918e583a5a813c53d4f5588255) C:\Windows\system32\drivers\RTKVHDA.sys
2010/11/14 13:41:12.0823 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2010/11/14 13:41:12.0854 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2010/11/14 13:41:12.0932 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/11/14 13:41:12.0995 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/11/14 13:41:13.0026 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/11/14 13:41:13.0073 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/11/14 13:41:13.0088 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/11/14 13:41:13.0135 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/11/14 13:41:13.0166 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/11/14 13:41:13.0229 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/11/14 13:41:13.0275 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/11/14 13:41:13.0338 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/11/14 13:41:13.0400 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2010/11/14 13:41:13.0525 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/11/14 13:41:13.0572 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/11/14 13:41:13.0619 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/11/14 13:41:13.0665 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/11/14 13:41:13.0712 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/11/14 13:41:13.0743 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\Windows\system32\drivers\MCSTRM.sys
2010/11/14 13:41:13.0775 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/11/14 13:41:13.0837 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/11/14 13:41:13.0884 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/11/14 13:41:13.0931 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/11/14 13:41:13.0962 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/11/14 13:41:14.0009 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/11/14 13:41:14.0055 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/11/14 13:41:14.0118 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/11/14 13:41:14.0149 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/11/14 13:41:14.0180 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/11/14 13:41:14.0227 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2010/11/14 13:41:14.0274 mrxsmb (7afc42e60432fd1014f5342f2b1b1f74) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/11/14 13:41:14.0305 mrxsmb10 (8a75752ae17924f65452746674b14b78) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/11/14 13:41:14.0336 mrxsmb20 (f4d0f3252e651f02be64984ffa738394) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/11/14 13:41:14.0367 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2010/11/14 13:41:14.0399 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/11/14 13:41:14.0461 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/11/14 13:41:14.0523 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/11/14 13:41:14.0601 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/11/14 13:41:14.0664 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/11/14 13:41:14.0711 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/11/14 13:41:14.0726 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2010/11/14 13:41:14.0773 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/11/14 13:41:14.0789 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/11/14 13:41:14.0820 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2010/11/14 13:41:14.0898 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2010/11/14 13:41:14.0991 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
2010/11/14 13:41:15.0069 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/11/14 13:41:15.0101 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/11/14 13:41:15.0147 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/11/14 13:41:15.0194 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/11/14 13:41:15.0288 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/11/14 13:41:15.0319 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2010/11/14 13:41:15.0397 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/11/14 13:41:15.0428 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2010/11/14 13:41:15.0475 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/11/14 13:41:15.0537 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2010/11/14 13:41:15.0584 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/11/14 13:41:15.0600 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/11/14 13:41:15.0693 NVENETFD (74c825c573aa6e115590d94e7bf86901) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2010/11/14 13:41:15.0896 nvlddmkm (fbba09782f2fac5a57619df378ba9372) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/11/14 13:41:16.0146 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2010/11/14 13:41:16.0177 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2010/11/14 13:41:16.0208 nvstor32 (019054d997f65358dca63ecae5103f97) C:\Windows\system32\drivers\nvstor32.sys
2010/11/14 13:41:16.0271 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/11/14 13:41:16.0395 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/11/14 13:41:16.0473 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/11/14 13:41:16.0520 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2010/11/14 13:41:16.0536 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/11/14 13:41:16.0598 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2010/11/14 13:41:16.0629 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2010/11/14 13:41:16.0661 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/11/14 13:41:16.0723 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\Windows\system32\drivers\PCTCore.sys
2010/11/14 13:41:16.0801 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/11/14 13:41:16.0910 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/11/14 13:41:16.0941 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/11/14 13:41:17.0004 Ps2 (390c204ced3785609ab24e9c52054a84) C:\Windows\system32\DRIVERS\PS2.sys
2010/11/14 13:41:17.0082 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2010/11/14 13:41:17.0113 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys
2010/11/14 13:41:17.0191 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/11/14 13:41:17.0238 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/11/14 13:41:17.0285 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/11/14 13:41:17.0316 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/11/14 13:41:17.0378 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/11/14 13:41:17.0441 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/11/14 13:41:17.0487 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2010/11/14 13:41:17.0534 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2010/11/14 13:41:17.0581 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/11/14 13:41:17.0628 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/11/14 13:41:17.0659 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/11/14 13:41:17.0706 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2010/11/14 13:41:17.0799 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/11/14 13:41:17.0877 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/14 13:41:18.0033 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/14 13:41:18.0080 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/11/14 13:41:18.0189 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/11/14 13:41:18.0236 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/11/14 13:41:18.0252 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/11/14 13:41:18.0299 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/11/14 13:41:18.0361 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/11/14 13:41:18.0377 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/11/14 13:41:18.0408 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/11/14 13:41:18.0423 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/11/14 13:41:18.0486 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/11/14 13:41:18.0517 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/11/14 13:41:18.0548 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/11/14 13:41:18.0626 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2010/11/14 13:41:18.0704 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/11/14 13:41:18.0767 srv (9a0163e7fbe59da0591bb1ad77d92e63) C:\Windows\system32\DRIVERS\srv.sys
2010/11/14 13:41:18.0829 srv2 (c7da26d2c7d480b1dd38ca19cc90b821) C:\Windows\system32\DRIVERS\srv2.sys
2010/11/14 13:41:18.0891 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys
2010/11/14 13:41:18.0954 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/11/14 13:41:19.0001 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/11/14 13:41:19.0063 SYMDNS (a16d76baa5d2cbe45c57fa582c1208e5) C:\Windows\System32\Drivers\SYMDNS.SYS
2010/11/14 13:41:19.0110 SymEvent (403bd24fa5c55fc648abdd039629a954) C:\Windows\system32\Drivers\SYMEVENT.SYS
2010/11/14 13:41:19.0141 SYMFW (c64d200569a18ea6c676266dee3ac158) C:\Windows\System32\Drivers\SYMFW.SYS
2010/11/14 13:41:19.0172 SYMIDS (7764d3d7a3c858f04ced3c1f16410d89) C:\Windows\System32\Drivers\SYMIDS.SYS
2010/11/14 13:41:19.0203 SYMNDISV (d193684004658fe4f3f143ca6dd9ef8b) C:\Windows\System32\Drivers\SYMNDISV.SYS
2010/11/14 13:41:19.0266 SYMREDRV (829830a3ca1c5e329d68e26c9cd2de8d) C:\Windows\System32\Drivers\SYMREDRV.SYS
2010/11/14 13:41:19.0297 SYMTDI (b1aa9704124b494c34e8d372e6654196) C:\Windows\System32\Drivers\SYMTDI.SYS
2010/11/14 13:41:19.0328 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/11/14 13:41:19.0359 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/11/14 13:41:19.0469 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
2010/11/14 13:41:19.0515 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
2010/11/14 13:41:19.0562 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2010/11/14 13:41:19.0609 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/11/14 13:41:19.0640 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/11/14 13:41:19.0687 tdx (6baefa1f29c279f0966cdaa9d1173b29) C:\Windows\system32\DRIVERS\tdx.sys
2010/11/14 13:41:19.0687 Suspicious file (Forged): C:\Windows\system32\DRIVERS\tdx.sys. Real md5: 6baefa1f29c279f0966cdaa9d1173b29, Fake md5: d09276b1fab033ce1d40dcbdf303d10f
2010/11/14 13:41:19.0687 tdx - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/14 13:41:19.0734 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2010/11/14 13:41:19.0796 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/11/14 13:41:19.0843 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/11/14 13:41:19.0890 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2010/11/14 13:41:19.0921 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/11/14 13:41:19.0952 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2010/11/14 13:41:19.0999 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/11/14 13:41:20.0030 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/11/14 13:41:20.0077 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/11/14 13:41:20.0108 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/11/14 13:41:20.0139 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/11/14 13:41:20.0233 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/11/14 13:41:20.0264 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/11/14 13:41:20.0311 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2010/11/14 13:41:20.0373 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2010/11/14 13:41:20.0405 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
2010/11/14 13:41:20.0451 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/11/14 13:41:20.0483 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/11/14 13:41:20.0514 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/11/14 13:41:20.0545 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/11/14 13:41:20.0576 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/11/14 13:41:20.0623 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/11/14 13:41:20.0701 vhidmini (448baeea6b3a8284742befea4f49c04f) C:\Windows\system32\DRIVERS\walvhid.sys
2010/11/14 13:41:20.0732 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/11/14 13:41:20.0748 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/11/14 13:41:20.0779 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2010/11/14 13:41:20.0795 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/11/14 13:41:20.0857 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2010/11/14 13:41:20.0888 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2010/11/14 13:41:20.0919 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/11/14 13:41:20.0982 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/11/14 13:41:21.0029 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/14 13:41:21.0060 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/14 13:41:21.0107 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/11/14 13:41:21.0169 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/11/14 13:41:21.0263 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/11/14 13:41:21.0387 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2010/11/14 13:41:21.0497 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/11/14 13:41:21.0543 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/11/14 13:41:21.0621 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/11/14 13:41:21.0699 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2010/11/14 13:41:21.0809 ================================================================================
2010/11/14 13:41:21.0809 Scan finished
2010/11/14 13:41:21.0809 ================================================================================
2010/11/14 13:41:21.0840 Detected object count: 1
2010/11/14 13:41:45.0427 tdx (6baefa1f29c279f0966cdaa9d1173b29) C:\Windows\system32\DRIVERS\tdx.sys
2010/11/14 13:41:45.0427 Suspicious file (Forged): C:\Windows\system32\DRIVERS\tdx.sys. Real md5: 6baefa1f29c279f0966cdaa9d1173b29, Fake md5: d09276b1fab033ce1d40dcbdf303d10f
2010/11/14 13:41:45.0708 Backup copy found, using it..
2010/11/14 13:41:45.0833 C:\Windows\system32\DRIVERS\tdx.sys - will be cured after reboot
2010/11/14 13:41:45.0833 Rootkit.Win32.TDSS.tdl3(tdx) - User select action: Cure
2010/11/14 13:41:52.0884 Deinitialize success

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 14 November 2010 - 02:49 PM

Hello, Residual.

OK, it found the TDL3 backdoor rookit. I need to provide this warning.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and has been killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Step 1

Ok, please right-click on the Combofix link above and you should see "save link as" or "safe target as" in the menu that pops up. Select that, then save it to your desktop as etavaresCF.exe .

After that, please follow the instructions below.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

File::
C:\Users\Brook\AppData\Roaming\19427.bat
C:\Users\Brook\AppData\Local\B5XE5d7g
C:\ProgramData\B5XE5d7g
C:\Users\Brook\AppData\Local\8kUL5H5g
C:\ProgramData\8kUL5H5g
C:\Users\Brook\AppData\Local\nO4L
C:\Users\Brook\AppData\Local\B7jiOM
C:\Users\Brook\AppData\Local\qKbiKFB76
c:\windows\System32\drivers\gswouq.sys
Folder::
C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097}
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
Driver::
hghit
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 Residual

Residual
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 14 November 2010 - 07:46 PM

That...doesn't sound good at all. Arg.

New Log:

ComboFix 10-11-14.01 - Brook 11/14/2010 19:14:49.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.1009 [GMT -5:00]
Running from: c:\users\Brook\Desktop\etavaresCF.exe
Command switches used :: c:\users\Brook\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\8kUL5H5g"
"c:\programdata\B5XE5d7g"
"c:\users\Brook\AppData\Local\8kUL5H5g"
"c:\users\Brook\AppData\Local\B5XE5d7g"
"c:\users\Brook\AppData\Local\B7jiOM"
"c:\users\Brook\AppData\Local\nO4L"
"c:\users\Brook\AppData\Local\qKbiKFB76"
"c:\users\Brook\AppData\Roaming\19427.bat"
"c:\windows\System32\drivers\gswouq.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}
c:\programdata\8kUL5H5g
c:\programdata\B5XE5d7g
c:\users\Brook\AppData\Local\8kUL5H5g
c:\users\Brook\AppData\Local\B5XE5d7g
c:\users\Brook\AppData\Local\B7jiOM
c:\users\Brook\AppData\Local\nO4L
c:\users\Brook\AppData\Local\qKbiKFB76
c:\users\Brook\AppData\Roaming\19427.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hghit


((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.

2010-11-15 00:27 . 2010-11-15 00:29 -------- d-----w- c:\users\Brook\AppData\Local\temp
2010-11-15 00:27 . 2010-11-15 00:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-14 20:25 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FA36EA8A-95A3-48F1-A06F-358FC8628B3B}\mpengine.dll
2010-11-08 16:24 . 2010-11-08 16:24 -------- d-----w- c:\program files\Runtime Software
2010-11-08 16:16 . 2010-11-14 02:37 -------- d-----w- c:\program files\Cobian Backup 10
2010-11-07 02:06 . 2010-11-07 02:06 -------- d-----w- c:\users\Brook\AppData\Roaming\AVG10
2010-11-07 02:02 . 2010-11-07 02:02 -------- d--h--w- c:\programdata\Common Files
2010-11-07 01:58 . 2010-11-14 02:19 -------- d-----w- c:\programdata\AVG10
2010-11-07 01:58 . 2010-11-07 01:58 -------- d-----w- c:\program files\AVG
2010-11-07 01:51 . 2010-11-07 01:58 -------- d-----w- c:\programdata\MFAData
2010-10-27 21:06 . 2010-10-27 21:06 -------- d-----w- c:\users\Brook\AppData\Roaming\SUPERAntiSpyware.com
2010-10-27 21:06 . 2010-10-28 01:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-27 20:17 . 2010-10-27 20:17 -------- d-----w- c:\users\Brook\AppData\Roaming\InstallShield
2010-10-27 19:49 . 2010-10-27 19:49 388096 ----a-r- c:\users\Brook\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-27 19:49 . 2010-10-27 19:49 -------- d-----w- c:\program files\Trend Micro
2010-10-20 21:27 . 2010-10-20 21:27 -------- d-----w- c:\users\Brook\AppData\Roaming\Thunderbird
2010-10-20 21:27 . 2010-10-20 21:27 -------- d-----w- c:\users\Brook\AppData\Local\Thunderbird
2010-10-18 14:56 . 2010-10-18 14:56 -------- d-----w- c:\windows\system32\EventProviders
2010-10-16 18:26 . 2010-10-16 18:26 -------- d-----w- c:\programdata\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-14 18:42 . 2008-06-06 03:10 71680 ----a-w- c:\windows\system32\drivers\tdx.sys
2010-10-19 15:41 . 2009-10-03 01:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-15 19:36 . 2010-09-15 19:36 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-08-17 13:32 . 2010-09-15 16:19 126464 ----a-w- c:\windows\system32\spoolsv.exe
2007-10-09 02:24 . 2007-10-09 02:24 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PHOTOfunSTUDIO HD Edition.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PHOTOfunSTUDIO HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO HD Edition.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Brook^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Mopy Points Collector.lnk]
path=c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mopy Points Collector.lnk
backup=c:\windows\pss\Mopy Points Collector.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Brook^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Picture Mover.lnk]
path=c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Picture Mover.lnk
backup=c:\windows\pss\Snapfish Picture Mover.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-01-09 21:59 115816 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-03-13 00:44 1773568 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2006-09-28 13:42 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 16:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2010-04-08 18:38 6690080 ----a-w- c:\program files\Livestream Procaster\Procaster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacrokeyManager]
2008-01-22 14:50 1969824 ----a-w- c:\windows\System32\WTMKM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-22 19:49 13539872 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-22 19:49 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 10:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 04:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 15:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-01-07 16:08 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2007-11-29 00:51 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-04-23 23:58 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2008-01-19 07:36 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SASENUM;SASENUM;c:\users\Brook\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2007-01-09 38200]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-06-21 218592]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070913.004\IDSvix86.sys [2007-09-13 180272]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-02-18 368288]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\User_Feed_Synchronization-{63D7DC33-B3F3-4061-B53F-267DC43412B2}.job
- c:\windows\system32\msfeedssync.exe [2008-06-06 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\users\Brook\AppData\Roaming\Mozilla\Firefox\Profiles\xfs1eu84.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Brook\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\Brook\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\Brook\Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 19:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2010-11-14 19:39:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-15 00:39
ComboFix2.txt 2010-11-14 17:35

Pre-Run: 241,321,254,912 bytes free
Post-Run: 241,273,364,480 bytes free

- - End Of File - - 9A3ABF9E80846AA5B2D2DF1E2179B247

It's giving me the same message about the Firefox and IE registry keys being marked for deletion.

Edited by Residual, 14 November 2010 - 07:48 PM.


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 15 November 2010 - 06:45 PM

OK, reboot the computer. Do you still get that message? An extra reboot often clears it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 Residual

Residual
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 15 November 2010 - 08:57 PM

Yeah, the reboot fixed it. So far it looks like the redirecting has stopped! I also haven't seen the 'Host Process' error pop up yet but I haven't been on for very long so I can't be positive on that one.

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 17 November 2010 - 07:44 PM

Hello, Residual.

Looking better. Let's push on. Any issues come back or has it been running OK?



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 22 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 22 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java™ 6 Update 11
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version.




Step 2

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 3

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    :OTL
    SRV - File not found [Disabled | Stopped] -- C:\Windows\System32\atashost.exe -- (atashost)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Brook\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS -- (SASENUM)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\gswouq.sys -- (hghit)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
    IE - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    @Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:AC707B50
    @Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:C22674B6
    @Alternate Data Stream - 1605 bytes -> C:\Users\Brook\Documents\RE_ Fw_ PLEEEEEEEEEZ send this back, you'll see why.eml:OECustomProperty
    @Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    @Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:8B2A99C5
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:80ED6380
    @Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:FA42DF8E
    @Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:D055FC10
    @Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:0A73A758
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:E55CE2D1
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:9398DBB4
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:7290F122
    @Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:D31BE97C
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:1A6AFE3D
    @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E5294695
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:21F28B00
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:FB384C06
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:DE47A3DA
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:85C3B823
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:48FEA089
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:13B137AF
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:9ACB70D7
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:101708D3
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:699C6EB5
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:B894C266
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:A7DA2BCD
    @Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:580E04D8
    @Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:2ABEB9EB
    @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:F01E7F17
    @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:4673E9EA
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:EC2381A4
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:0AC32449
    @Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:A73EAFFB
    @Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:0D31DA45
    @Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:EC0A74A1
    @Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:598E0FFA
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:F65733F1
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
    @Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:7A0EFE63
    @Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:E2CD81E1
    @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:E32966C0
    @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:BD9F7E4E
    @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:90B52091
    @Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:E8BDF4DE
    @Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:FC4EA67C
    @Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:11201333
    @Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:A296A63F
    @Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:3214A283
    O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-21-1695537567-279981648-2791948041-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 4

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 5

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users