Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
208 replies to this topic

#1 docvern

docvern

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 06 December 2010 - 08:12 AM

Hello Guys. Hope everyone is having a good day.

Am writing with a problem I have seen elsewhere on this site.

I have the problem of all searches in my browsers going to random site.

I saw a fix on http://ezinearticles.com/ that said I should download Combofix and then past the following text into a txt file and drag it into combofix

c:\windows\system32\winupdate.exe
c:\windows\system32\winhelper.dll
c:\windows\system32\AVR09.exe
c:\Program Files\AdvancedVirusRemover\PAVRM.ex

I did this but combofix would not run properly as it says I have AVG running. The thing is as far as I am aware I don't have anything connected to AVG on my computer. I have spyware doctor but I disabled that.

Anyway I am kind of new to this kind of stuff but if anyone is available to help me I would appreicate it.

Thanks



I should add I tried to run the DDS thing to get my logs but it would only save it as an Autocad Script file whatever I did and wouldnt work properly.

Edited by docvern, 06 December 2010 - 06:18 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:01 PM

Posted 13 December 2010 - 08:07 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 docvern

docvern
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 December 2010 - 05:20 PM

Hello Gringo and thanks for trying to help.

I have downloaded all three types of the DDS. I cannot run the .scr one as it comes in as an autocad script file and is just mumbo jumbo in notepad. The other two I have opened but both have frozen my computer up at about the 2 minute mark. I have tried disabling security centre ( I am on xp ) but that has not helped. My machine freezes right up at the same point every time I run the scan and I have to hold down my power key to restart.

I do have spyware doctor but I have disabled this also.

Any suggestions?

Thanks again.

Doc

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:01 PM

Posted 14 December 2010 - 05:50 PM

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the OTL.Txt into this topic and please attach the Extras.Txt.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 docvern

docvern
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 December 2010 - 06:30 PM

Hello. Sorry but the link to download the scan file just takes me to the geeks to go forum page.

Thanks

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:01 PM

Posted 14 December 2010 - 06:33 PM

I have attacvhed the file


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 docvern

docvern
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 December 2010 - 06:41 PM

OTL logfile created on: 14/12/2010 23:35:21 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\DOCTOR\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

702.00 Mb Total Physical Memory | 204.00 Mb Available Physical Memory | 29.00% Memory free
1,004.00 Mb Paging File | 244.00 Mb Available in Paging File | 24.00% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 6.23 Gb Free Space | 11.15% Space Free | Partition Type: NTFS

Computer Name: JAMES | User Name: DOCTOR | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\DOCTOR\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\DOCTOR\Application Data\svchost.exe (Macromedia, Inc.)
PRC - c:\Program Files\Microsoft Silverlight\4.0.50917.0\agcp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
PRC - C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe (TOSHIBA)
PRC - C:\Program Files\TOSHIBA\Tvs\TvsTray.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe (TOSHIBA)
PRC - C:\Program Files\TalkTalk\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
PRC - C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)
PRC - C:\WINDOWS\system32\TPSMain.exe (TOSHIBA Corporation)
PRC - C:\WINDOWS\system32\TPSBattM.exe (TOSHIBA Corporation)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe (TOSHIBA CORPORATION)
PRC - C:\WINDOWS\system32\acs.exe ()
PRC - C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe (THOMSON Telecom Belgium)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\DOCTOR\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\AcSignIcon.dll (Autodesk, Inc.)
MOD - C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll (Autodesk, Inc.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\framedyn.dll (Microsoft Corporation)
MOD - C:\Program Files\TalkTalk\bin\sprthook.dll (SupportSoft, Inc.)
MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)


========== Win32 Services (SafeList) ==========

SRV - (PEVSystemStart) -- C:\ComboFix\PEV.cfx File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (KService) -- C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)
SRV - (TAPPSRV) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe ()
SRV - (CFSvcs) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)


========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (Tvs) -- C:\WINDOWS\system32\drivers\Tvs.sys (TOSHIBA Corporation)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (TVALD) -- C:\WINDOWS\system32\drivers\NBSMI.sys (Toshiba Corporation)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN) -- C:\WINDOWS\system32\drivers\alcan5wn.sys (THOMSON)
DRV - (alcaudsl) -- C:\WINDOWS\system32\drivers\alcaudsl.sys (THOMSON)
DRV - (Netdevio) -- C:\WINDOWS\system32\drivers\Netdevio.sys (TOSHIBA Corporation.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "http://bbc.co.uk"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07103010


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/04 18:25:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/04 18:25:37 | 000,000,000 | ---D | M]

[2009/01/09 22:03:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Mozilla\Extensions
[2010/12/08 08:28:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Mozilla\Firefox\Profiles\06e2fuoe.default\extensions
[2009/09/04 22:34:49 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\DOCTOR\Application Data\Mozilla\Firefox\Profiles\06e2fuoe.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/08 19:16:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Mozilla\Firefox\Profiles\06e2fuoe.default\extensions\moveplayer@movenetworks.com
[2010/12/08 08:28:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/07/30 20:49:26 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

O1 HOSTS File: ([2010/12/05 12:02:24 | 000,000,602 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [CFSServ.exe] File not found
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe File not found
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [nonep] C:\Documents and Settings\DOCTOR\Local Settings\Temp\tmpe82c9956\KillEXE.exe ()
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe (TOSHIBA)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe (THOMSON Telecom Belgium)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TalkTalk] C:\Program Files\TalkTalk\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [THotkey] C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe (TOSHIBA Corporation)
O4 - HKCU..\Run: [{1462F0B0-D4D3-82F3-6D35-C014996BB157}] C:\Documents and Settings\DOCTOR\Application Data\Etzo\voxie.exe (www.moofdev.net)
O4 - HKCU..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKCU..\Run: [svchost] C:\Documents and Settings\DOCTOR\Application Data\svchost.exe (Macromedia, Inc.)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2006/12/01 21:51:11 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2006/12/01 21:51:11 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2006/12/01 21:51:11 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2006/12/01 21:51:11 | 000,000,000 | ---D | M]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab (Citrix ICA Client)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.co.uk/SnapfishUKActivia.cab (Snapfish Activia)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/FacebookPhotoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB (MSN Music Mediabar)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} http://chat.yahoo.com/cab/yvwrctl.cab (Yahoo! Webcam Viewer Wrapper)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\xoJworIlBsgbxuqkn.exe\sgbxuqkn.exe) - C:\Program Files\xoJworIlBsgbxuqkn.exe\sgbxuqkn.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\DOCTOR\My Documents\My Pictures\DOCTOR.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\DOCTOR\My Documents\My Pictures\DOCTOR.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/21 17:52:39 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2005/12/08 13:11:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{485bc13b-78d1-11df-b3bc-0011f5eb29db}\Shell\AutoRun\command - "" = Autorun.exe /run
O33 - MountPoints2\{485bc13b-78d1-11df-b3bc-0011f5eb29db}\Shell\Shell00\Command - "" = Autorun.exe /run
O33 - MountPoints2\{485bc13b-78d1-11df-b3bc-0011f5eb29db}\Shell\Shell01\Command - "" = Autorun.exe /action
O33 - MountPoints2\{485bc13b-78d1-11df-b3bc-0011f5eb29db}\Shell\Shell02\Command - "" = Autorun.exe /uninstall
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - C:\WINDOWS\System32\ffdshow.ax ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

MsConfig - StartUpReg: 4oD - hkey= - key= - C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
MsConfig - StartUpReg: Aim6 - hkey= - key= - C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe (America Online, Inc.)
MsConfig - StartUpReg: BitTorrent - hkey= - key= - C:\Program Files\BitTorrent\bittorrent.exe File not found
MsConfig - StartUpReg: HostManager - hkey= - key= - C:\Program Files\Common Files\AOL\1158508828\ee\aolsoftware.exe (America Online, Inc.)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: kdx - hkey= - key= - C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - C:\Program Files\MSN Messenger\MsnMsgr.Exe File not found
MsConfig - StartUpReg: MySpaceIM - hkey= - key= - C:\Program Files\MySpace\IM\MySpaceIM.exe ()
MsConfig - StartUpReg: POEngine - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: Skype - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: Veoh - hkey= - key= - C:\Program Files\Veoh Networks\Veoh\VeohClient.exe File not found
MsConfig - StartUpReg: Yahoo! Pager - hkey= - key= - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - C:\ComboFix\PEV.cfx File not found
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sdauxservice - C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SafeBootMin: sdcoreservice - C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PEVSystemStart - C:\ComboFix\PEV.cfx File not found
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: procexp90.Sys - Driver
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sdauxservice - C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SafeBootNet: sdcoreservice - C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.4
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4F49F0C1-EA93-06FF-CDA6-6A9ABDDEEC84} - Adobe Shockwave Director 10.4
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A73E8A5-0893-0409-5A28-A3A6855EF79F} - Java (Sun)
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5C085E1C-1288-7758-BB2E-6A7D887E28EA} - Browser Customizations
ActiveX: {5E3B7C76-7A76-DE77-677C-C2102F88E20E} - Java (Sun)
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {7BCA3F67-10E2-9D6D-BCF2-CAB0772B32BD} - Browser Customizations
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - Reg Error: Value error.
ActiveX: {AA218328-0EA8-4D70-8972-E987A9190FF4} - Reg Error: Value error.
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

========== Files/Folders - Created Within 30 Days ==========

[2010/12/14 23:25:57 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DOCTOR\Desktop\OTL.exe
[2010/12/13 20:18:45 | 000,187,392 | ---- | C] (Macromedia, Inc.) -- C:\Documents and Settings\DOCTOR\Application Data\svchost.exe
[2010/12/12 16:40:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/12/12 16:40:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/12/12 16:29:23 | 000,000,000 | ---D | C] -- C:\Program Files\swdfk5
[2010/12/11 15:26:09 | 000,000,000 | ---D | C] -- C:\Program Files\swdfk
[2010/12/08 19:59:03 | 000,000,000 | ---D | C] -- C:\Program Files\win
[2010/12/06 16:35:32 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/12/06 12:41:36 | 000,000,000 | ---D | C] -- C:\Program Files\windows
[2010/12/06 12:41:29 | 000,000,000 | ---D | C] -- C:\Program Files\xoJworIlBsgbxuqkn.exe
[2010/12/05 18:24:59 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/12/05 18:24:59 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/12/05 18:24:59 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/12/05 18:24:59 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/12/05 17:03:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/12/05 16:54:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/12/05 16:51:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/04 23:39:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[2010/12/02 11:44:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DOCTOR\Desktop\mecca
[2005/12/08 14:34:45 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2004/11/24 18:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/14 23:33:02 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/14 23:26:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DOCTOR\Desktop\OTL.exe
[2010/12/14 22:29:55 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/14 22:15:16 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/14 22:14:15 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/14 22:13:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/14 22:13:46 | 736,333,824 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/14 21:47:23 | 000,624,640 | ---- | M] () -- C:\Documents and Settings\DOCTOR\Desktop\dds.pif
[2010/12/14 21:31:58 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\DOCTOR\Desktop\dds.com
[2010/12/14 21:30:29 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\DOCTOR\defogger_reenable
[2010/12/14 21:29:05 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\DOCTOR\Desktop\Defogger.exe
[2010/12/13 20:34:39 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/12/13 20:18:40 | 000,187,392 | ---- | M] (Macromedia, Inc.) -- C:\Documents and Settings\DOCTOR\Application Data\svchost.exe
[2010/12/06 23:14:47 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\DOCTOR\Desktop\dds.scr
[2010/12/06 16:24:55 | 003,985,074 | R--- | M] () -- C:\Documents and Settings\DOCTOR\Desktop\ComboFix.exe
[2010/12/05 17:03:33 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/12/05 09:49:48 | 000,443,444 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/05 09:49:48 | 000,072,498 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/02 12:00:00 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\Schedule Task Weekly.job
[2010/12/02 11:27:22 | 000,001,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google SketchUp 8.lnk
[2010/11/28 14:09:57 | 000,048,640 | ---- | M] () -- C:\Documents and Settings\DOCTOR\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/14 21:47:21 | 000,624,640 | ---- | C] () -- C:\Documents and Settings\DOCTOR\Desktop\dds.pif
[2010/12/14 21:31:55 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\DOCTOR\Desktop\dds.com
[2010/12/14 21:30:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\DOCTOR\defogger_reenable
[2010/12/14 21:29:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\DOCTOR\Desktop\Defogger.exe
[2010/12/06 23:14:55 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\DOCTOR\Desktop\dds.scr
[2010/12/05 18:24:59 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/05 18:24:59 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/05 18:24:59 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/05 18:24:59 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/05 18:24:59 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/05 18:22:33 | 003,985,074 | R--- | C] () -- C:\Documents and Settings\DOCTOR\Desktop\ComboFix.exe
[2010/12/05 17:03:32 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/12/05 17:03:27 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/12/02 11:27:22 | 000,001,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google SketchUp 8.lnk
[2010/08/02 22:40:07 | 000,159,224 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2008/12/19 14:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 16:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 16:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 16:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 16:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 15:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/10/17 06:40:07 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/10/12 20:56:38 | 000,004,096 | ---- | C] () -- C:\WINDOWS\userconfig9x.dll
[2008/10/12 20:56:38 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\hoproxy.dll
[2008/10/12 20:56:37 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\regm64.dll
[2008/10/12 20:56:37 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\h@tkeysh@@k.dll
[2008/10/12 20:56:37 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\anticipator.dll
[2008/10/12 20:56:36 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\awtoolb.dll
[2008/04/06 15:39:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2008/04/06 15:37:57 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/03/25 16:55:02 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/10/20 12:40:11 | 000,000,071 | ---- | C] () -- C:\WINDOWS\pn.ini
[2006/10/19 21:26:49 | 000,048,640 | ---- | C] () -- C:\Documents and Settings\DOCTOR\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/17 15:57:48 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/09/11 21:34:11 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/08/25 19:30:35 | 000,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2006/08/25 19:27:56 | 000,000,046 | ---- | C] () -- C:\WINDOWS\adiras.ini
[2006/08/05 09:35:47 | 000,000,026 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.119889580931711767808769176
[2006/08/05 09:33:33 | 000,000,021 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.311018984119889580931149468956
[2006/07/27 17:28:42 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/05/15 08:33:34 | 000,000,051 | ---- | C] () -- C:\WINDOWS\pr.ini
[2005/12/08 17:42:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/08 17:24:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/08 17:05:05 | 000,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/12/08 16:54:24 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/12/08 16:54:24 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/12/08 16:54:24 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/12/08 16:54:24 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/12/08 16:54:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/12/08 16:54:24 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/12/08 16:48:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/12/08 16:08:07 | 000,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2005/12/08 16:08:07 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/12/08 14:34:45 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2005/12/08 14:33:43 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/12/08 14:33:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/12/08 14:33:43 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/12/08 14:33:43 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/12/08 14:27:54 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/12/08 13:15:01 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/12/08 13:02:59 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/12/08 11:55:45 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2005/12/08 11:55:45 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/11 21:12:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/10/03 16:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2002/12/03 19:40:59 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\atsdrve.dll

========== LOP Check ==========

[2010/01/24 19:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2008/01/08 13:00:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
[2006/08/05 09:33:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Final Draft
[2010/12/14 23:34:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2007/12/16 10:03:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2008/01/19 13:57:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2008/11/13 20:52:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\qryhozcd
[2008/12/24 12:10:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/12/06 16:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/09/17 16:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/11 18:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2006/09/17 16:01:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\acccore
[2010/01/24 19:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Autodesk
[2009/04/15 19:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\BitTorrent
[2010/01/21 17:25:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\com.zipeg
[2008/01/02 12:22:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Etzo
[2006/08/05 09:34:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Final Draft
[2006/11/18 18:46:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\ICAClient
[2006/11/13 20:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\InterVideo
[2008/06/02 17:51:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\LimeWire
[2010/12/09 21:28:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Oklefy
[2010/11/28 22:25:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Paveul
[2008/01/19 13:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Propellerhead Software
[2008/04/06 15:39:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Samsung
[2007/01/07 16:49:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Snapfish
[2008/11/30 17:33:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\toshiba
[2010/08/27 20:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\TSO
[2008/01/08 07:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Uwyx
[2009/01/24 09:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Ywox
[2010/12/12 22:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DOCTOR\Application Data\Zyaw
[2006/07/10 22:12:23 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 1.job
[2006/07/10 22:12:24 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 2.job
[2006/07/10 22:12:24 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 3.job
[2010/12/02 12:00:00 | 000,000,396 | ---- | M] () -- C:\WINDOWS\Tasks\Schedule Task Weekly.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AC6124CA

< End of report >

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:01 PM

Posted 14 December 2010 - 06:48 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 docvern

docvern
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 December 2010 - 07:10 PM

Hello. I am trying to run combofix but it says I have AVG antivirus active. I dont even have AVG as far as I am aware. I have disabled spyware doctor and I have gone into system and disabled my security so there should be nothing else running. If there is I cannot find it.

Thanks

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:01 PM

Posted 14 December 2010 - 07:17 PM

Hello

Lets try and run thier removal tool and see if it helps


I would like you to run their AVG removal tool
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 docvern

docvern
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 December 2010 - 07:25 PM

Hi. I ran it and a window opened, lots of text flashed and then a file called avg_remover_stf_x86_2011_1149.exe.to_delete appeared

Tried running combofix and it says the same thing.

Cheers for this

Doc

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:01 PM

Posted 14 December 2010 - 07:31 PM

Hello

I want you to run this script for me it will help remove AVG

It must be named CFScript_AVG2011.txt

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

REGISTRY::
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEnd]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEndFail]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdStart]
[-HKEY_CURRENT_USER\AppEvents\Schemes\Apps\avgtray]
[-HKEY_CURRENT_USER\Software\Avg]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\.avgdx]
[-HKEY_CLASSES_ROOT\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A3E}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{41B21542-2055-4212-A6F2-395CD109B14B}]
[-HKEY_CLASSES_ROOT\CLSID\{6F59E522-4689-156E-316C-D5B48819DE95} ]
[-HKEY_CLASSES_ROOT\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
[-HKEY_CLASSES_ROOT\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
[-HKEY_CLASSES_ROOT\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
[-HKEY_CLASSES_ROOT\CLSID\{F1FE4608-7924-4908-8E12-81CFA206F00A}]
[-HKEY_CLASSES_ROOT\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\Installer\Features\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Features\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Features\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\Products\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Products\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Products\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\06DD9E4F7F3FF9C41BC2BD64A2CE18FE]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\38F747DBDC97B4E459142E21199F9D10]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter.1]
[-HKEY_CLASSES_ROOT\MicroScanner.MicroScanner]
[-HKEY_CLASSES_ROOT\piffile\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\linkscanner]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\VC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0323CB96-221A-4042-84A3-93EDE47099FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1A258E63-8DF5-4ADB-9832-38A0121D65EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlwaysUnloadDll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABED-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEE-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEF-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{9781B2D1-AF27-474F-A3A5-C0763FBDF3B7}]
[-HKEY_CLASSES_ROOT\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
[-HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CLASSES_ROOT\CLSID\{F2DDE6B2-9684-4A55-86D4-E255E237B77C}]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\avgsecuritytoolbar]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CURRENT_USER\Software\AppDataLow\Avg]
[-HKEY_CURRENT_USER\Software\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgtray]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\Avg]
[-HKEY_USERS\.DEFAULT\Software\Avg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"=-
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"=-
"avg@igeared"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
"AVG"=-

DRIVER::
Avg
AVGIDSAgent
AVGIDSDriver
AVGIDSEH
AVGIDSFilter
AVGIDSShim
Avgldx86
Avgmfx86
Avgrkx86
Avgtdix
avgwd
AVG Security Toolbar Service
avg9emc
avg9wd

FOLDER::
%SYSTEMDRIVE%\$AVG
%COMMONAPPDATA%\AVG10
%COMMONAPPDATA%\MFAData
%COMMONPROGRAMS%\AVG 2011
%APPDATA%\AVG10
%PROGRAMFILES%\AVG
%SYSTEM%\drivers\AVG
%COMMONAPPDATA%\AVG Security Toolbar
%COMMONAPPDATA%\avg9
%COMMONPrograms%\AVG Free 9.0

File::
%COMMONAPPDATA%\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat
%COMMONDESKTOP%\AVG 2011.lnk
%SYSTEM%\drivers\AVGIDSDriver.sys
%SYSTEM%\drivers\AVGIDSEH.sys
%SYSTEM%\drivers\AVGIDSFilter.sys
%SYSTEM%\drivers\AVGIDSShim.sys
%SYSTEM%\drivers\avgldx86.sys
%SYSTEM%\drivers\avgmfx86.sys
%SYSTEM%\drivers\avgrkx86.sys
%SYSTEM%\drivers\avgtdix.sys
%COMMONDesktop%\AVG Free 9.0.lnk
%PROGRAMFILES%\Mozilla Firefox\searchplugins\avg_igeared.xml
%SYSTEM%\avgrsstx.dll

SECCENTER::
AVG Anti-Virus Free


Save it to your desktop as CFScript_AVG2011.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 docvern

docvern
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 December 2010 - 07:39 PM

Ok I have tried the script. It said Combofix was going to remove AVG by brute force, do i want that. I clicked ok. then it popped up saying it detected AVG. Then it said again it was going to remove by brute force but then the usual message came up saying avg is still running and combofix will run at my risk. Then the combofix window opened and said preparing to run but nothing else happened.

Thanks

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:01 PM

Posted 14 December 2010 - 07:40 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 docvern

docvern
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 December 2010 - 08:01 PM

2010/12/15 00:55:48.0538 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/15 00:55:48.0538 ================================================================================
2010/12/15 00:55:48.0538 SystemInfo:
2010/12/15 00:55:48.0538
2010/12/15 00:55:48.0538 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/15 00:55:48.0538 Product type: Workstation
2010/12/15 00:55:48.0538 ComputerName: JAMES
2010/12/15 00:55:48.0538 UserName: DOCTOR
2010/12/15 00:55:48.0538 Windows directory: C:\WINDOWS
2010/12/15 00:55:48.0538 System windows directory: C:\WINDOWS
2010/12/15 00:55:48.0538 Processor architecture: Intel x86
2010/12/15 00:55:48.0538 Number of processors: 1
2010/12/15 00:55:48.0538 Page size: 0x1000
2010/12/15 00:55:48.0538 Boot type: Normal boot
2010/12/15 00:55:48.0538 ================================================================================
2010/12/15 00:55:48.0866 Initialize success
2010/12/15 00:55:58.0696 ================================================================================
2010/12/15 00:55:58.0696 Scan started
2010/12/15 00:55:58.0696 Mode: Manual;
2010/12/15 00:55:58.0696 ================================================================================
2010/12/15 00:55:59.0384 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/15 00:55:59.0415 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/15 00:55:59.0556 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/12/15 00:55:59.0618 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/12/15 00:55:59.0681 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/12/15 00:55:59.0790 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/12/15 00:56:00.0118 alcan5wn (0940030d5a5869067ccc03e3b0b8dec7) C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
2010/12/15 00:56:00.0165 alcaudsl (4c9577888c53243e2991456f510488a1) C:\WINDOWS\system32\DRIVERS\alcaudsl.sys
2010/12/15 00:56:00.0353 AR5211 (f0a8370d570428e83d78593e9dfb2e5a) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2010/12/15 00:56:00.0415 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/15 00:56:00.0649 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/15 00:56:00.0681 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/15 00:56:00.0868 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/15 00:56:01.0071 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/15 00:56:01.0118 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/15 00:56:01.0165 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/15 00:56:01.0243 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/15 00:56:01.0353 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/15 00:56:01.0400 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/15 00:56:01.0446 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/15 00:56:01.0540 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/15 00:56:01.0665 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/15 00:56:01.0868 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/15 00:56:01.0931 DLABOIOM (efae981c8ba3dad4103a76bcb5955b07) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/12/15 00:56:01.0962 DLACDBHM (8d45ac148fd8c1a25204aeca1397fa7e) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/12/15 00:56:02.0009 DLADResN (3e34a0991efdaf8cfa97441c3a51fc81) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/12/15 00:56:02.0040 DLAIFS_M (2aef49904bde7398d0f09b6a603738ef) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/12/15 00:56:02.0087 DLAOPIOM (46fa268a829384256179f4ccb6eb308f) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/12/15 00:56:02.0118 DLAPoolM (26e89839af248625a4e7c4cf5873375d) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/12/15 00:56:02.0150 DLARTL_N (94accf8f7b87fbeaa27266927319e6ba) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/12/15 00:56:02.0212 DLAUDFAM (5e914bd7f68dde3fb4bffe005162c1e6) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/12/15 00:56:02.0369 DLAUDF_M (8c3cfb22a7fb3be67e0c321fa10b8b50) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/12/15 00:56:02.0478 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/15 00:56:02.0540 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/15 00:56:02.0603 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/15 00:56:02.0712 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/15 00:56:02.0790 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/15 00:56:02.0822 DRVMCDB (ab6c5c26fff9b3c456aeaf7e0093c2fe) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/12/15 00:56:03.0009 DRVNDDM (4a307ade1638d9358b6eb90076481cc6) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/12/15 00:56:03.0087 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/15 00:56:03.0134 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/15 00:56:03.0181 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/15 00:56:03.0228 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/15 00:56:03.0291 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/15 00:56:03.0353 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/15 00:56:03.0400 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/15 00:56:03.0494 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/15 00:56:03.0541 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/15 00:56:03.0603 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/15 00:56:03.0713 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/15 00:56:03.0838 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/15 00:56:04.0119 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/15 00:56:04.0166 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/15 00:56:04.0463 IntcAzAudAddService (1a5b97b5bffde5742f4209f734c4faf0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/15 00:56:04.0713 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/15 00:56:04.0775 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/15 00:56:04.0838 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/15 00:56:04.0869 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/15 00:56:04.0931 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/15 00:56:04.0978 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/15 00:56:05.0010 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/15 00:56:05.0072 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/15 00:56:05.0119 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/15 00:56:05.0197 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/15 00:56:05.0275 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/15 00:56:05.0400 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/15 00:56:05.0463 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/15 00:56:05.0494 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/15 00:56:05.0572 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/15 00:56:05.0791 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/15 00:56:05.0900 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/15 00:56:05.0994 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/15 00:56:06.0072 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/15 00:56:06.0119 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/15 00:56:06.0307 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/15 00:56:06.0354 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/15 00:56:06.0400 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/15 00:56:06.0447 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/15 00:56:06.0494 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/15 00:56:06.0541 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/15 00:56:06.0588 Ndisuio (8d3ce6b579cde8d37acc690b67dc2106) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/15 00:56:06.0776 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/15 00:56:06.0838 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/15 00:56:06.0885 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/15 00:56:06.0932 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/15 00:56:06.0994 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2010/12/15 00:56:07.0072 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/15 00:56:07.0119 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/15 00:56:07.0213 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/15 00:56:07.0385 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/15 00:56:07.0416 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/15 00:56:07.0479 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/15 00:56:07.0541 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/15 00:56:07.0604 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/15 00:56:07.0651 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/15 00:56:07.0682 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/15 00:56:07.0729 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/15 00:56:07.0838 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/15 00:56:07.0869 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/15 00:56:07.0963 PCTCore (d302a59e6d1842a201930928a5bad68b) C:\WINDOWS\system32\drivers\PCTCore.sys
2010/12/15 00:56:08.0276 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/15 00:56:08.0354 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/15 00:56:08.0495 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/15 00:56:08.0557 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/15 00:56:08.0760 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/15 00:56:08.0807 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/15 00:56:08.0870 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/15 00:56:08.0932 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/15 00:56:09.0010 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/15 00:56:09.0057 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/15 00:56:09.0135 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/15 00:56:09.0182 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/15 00:56:09.0260 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2010/12/15 00:56:09.0307 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/15 00:56:09.0432 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/15 00:56:09.0510 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/15 00:56:09.0792 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/15 00:56:09.0948 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/15 00:56:10.0010 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/15 00:56:10.0089 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/15 00:56:10.0167 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
2010/12/15 00:56:10.0214 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/15 00:56:10.0339 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/15 00:56:10.0542 SynTP (f6770219b73bd989d5613d2e9c78a227) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/12/15 00:56:10.0589 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/15 00:56:10.0698 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/15 00:56:10.0823 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/15 00:56:10.0854 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/15 00:56:10.0901 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/15 00:56:11.0058 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
2010/12/15 00:56:11.0120 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
2010/12/15 00:56:11.0183 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/15 00:56:11.0401 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/15 00:56:11.0526 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/15 00:56:11.0589 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/15 00:56:11.0667 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/15 00:56:11.0714 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/15 00:56:11.0901 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/15 00:56:11.0995 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/15 00:56:12.0058 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/15 00:56:12.0151 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/15 00:56:12.0261 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/15 00:56:12.0355 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/15 00:56:12.0527 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/12/15 00:56:12.0652 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/15 00:56:12.0730 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/15 00:56:12.0855 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/15 00:56:12.0855 ================================================================================
2010/12/15 00:56:12.0855 Scan finished
2010/12/15 00:56:12.0855 ================================================================================
2010/12/15 00:56:12.0886 Detected object count: 1
2010/12/15 00:56:23.0857 \HardDisk0 - will be cured after reboot
2010/12/15 00:56:23.0857 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/15 00:56:44.0923 Deinitialize success




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users