Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirecting, Sudden ReBoots, Loads XP 20% of time


  • This topic is locked This topic is locked
13 replies to this topic

#1 freedom lover

freedom lover

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 07 December 2010 - 02:30 AM

hi there,

we have been having problems with our computer for a couple weeks...I finally got a small handle on it, thanks to SuperAntiSpyware...but it didn't catch everything as the above problems are still occurring on a regular basis...malwarbytes and adaware didn't help...nor did my avira antivirus...I also used ccleaner...

here is the hjt log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:23:18 PM, on 12/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\Documents and Settings\Forrest\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Jlayatiqefame] rundll32.exe "C:\WINDOWS\ikowobozeyesoguf.dll",Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Hlebitexetedabe] rundll32.exe "C:\WINDOWS\kbdmglp.dll",Startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 10609 bytes




thanks guys!

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 14 December 2010 - 09:23 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 15 December 2010 - 08:46 PM

thank you for the assistance...no worries on the time it took, I know there are a lot of people who you guys help...so thank you!


here you go:





DDS (Ver_10-12-12.02) - NTFSx86
Run by Forrest at 22:23:43.51 on Tue 12/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.351 [GMT -8:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Forrest\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Hlebitexetedabe] rundll32.exe "c:\windows\kbdmglp.dll",Startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Jlayatiqefame] rundll32.exe "c:\windows\ikowobozeyesoguf.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\www.update
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\forrest\applic~1\mozilla\firefox\profiles\xjb7zysc.default\
FF - prefs.js: browser.startup.homepage - hxxp://freesouljah.com/click/index.php?PHPSESSID=c960bfeb625b33caaae55b6c02eec7c0|http://freesouljah.com/news/|http://extremetracking.com/open;ref1?login=free7777|https://mail.google.com/mail/?shva=1#inbox|http://whos.amung.us/stats/readers/c7wikkg2seo1/
FF - plugin: c:\documents and settings\forrest\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\forrest\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Hyperwords: {9A752782-D706-479b-98F8-3F66BF921692} - %profile%\extensions\{9A752782-D706-479b-98F8-3F66BF921692}
FF - Ext: Context Highlight: {8051A235-3BDB-4450-9C02-8CD8C6F9E2CB} - %profile%\extensions\{8051A235-3BDB-4450-9C02-8CD8C6F9E2CB}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: XULRunner: {8E203739-0E8F-416B-874C-594BE169D231} - c:\documents and settings\forrest\local settings\application data\{8E203739-0E8F-416B-874C-594BE169D231}
FF - Ext: XULRunner: {7F0A0742-7223-4DF7-8B33-3B6E345557A5} - c:\documents and settings\soula\local settings\application data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-9 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-11 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-7 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-7 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-7 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-13 56816]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2003-9-5 255136]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2003-9-5 234656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-7 1244360]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-7 3184328]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2003-9-5 87200]

=============== Created Last 30 ================

2010-12-03 01:23:14 -------- d-----w- c:\docume~1\forrest\applic~1\SUPERAntiSpyware.com
2010-12-03 01:23:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-03 01:22:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-30 12:22:00 -------- d-----w- c:\docume~1\forrest\applic~1\Acapela Group
2010-11-30 12:21:48 -------- d-----w- c:\docume~1\forrest\locals~1\applic~1\Xtranormal
2010-11-30 12:13:19 -------- d-----w- c:\program files\Xtranormal
2010-11-30 12:12:17 -------- d-----w- c:\docume~1\forrest\applic~1\Xtranormal
2010-11-28 13:52:43 0 ----a-w- c:\windows\Ujoxazadahigusu.bin
2010-11-28 13:52:41 -------- d-----w- c:\docume~1\forrest\locals~1\applic~1\{8E203739-0E8F-416B-874C-594BE169D231}
2010-11-28 13:50:19 45568 ----a-w- c:\program files\mozilla firefox\YCemSCi.exe

==================== Find3M ====================

2010-09-20 22:46:04 0 ----atw- c:\windows\006483_.tmp
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BB-98DWA0 rev.15.05R15 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8736A446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87370504]; MOV EAX, [0x87370580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x87311AB8]
3 CLASSPNP[0xF788FFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000005f[0x87315510]
5 ACPI[0xF77E6620] -> nt!IofCallDriver[0x804E13B9] -> [0x8737D940]
\Driver\atapi[0x873799F8] -> IRP_MJ_CREATE -> 0x8736A446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BB-98DWA0_____________________15.05R15#4457572d414d4b45303234393939_033_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8736A292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 22:26:17.37 ===============











GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-15 17:36:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD1600BB-98DWA0 rev.15.05R15
Running: i13k8tir.exe; Driver: C:\DOCUME~1\Forrest\LOCALS~1\Temp\uftdrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xAA63AE60]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xAA63B5C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xAA639610]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xAA6480D0]
SSDT A7549636 ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xAA6392C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xAA636580]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xAA636960]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xAA636060]
SSDT A754962C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xAA6385A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteFile [0xAA648B50]
SSDT A754963B ZwDeleteKey
SSDT A7549645 ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDuplicateObject [0xAA638FE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xAA648070]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xAA6480A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xAA63A5D0]
SSDT A754964A ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xAA648760]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenKey [0xAA646C20]
SSDT A7549618 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xAA636300]
SSDT A754961D ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xAA63B250]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryDirectoryFile [0xAA63AA10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryKey [0xAA648010]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryValueKey [0xAA648040]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xAA63B740]
SSDT A7549654 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xAA63A180]
SSDT A754964F ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xAA638C90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSaveKey [0xAA647FF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xAA6399D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xAA6383C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetInformationFile [0xAA648E10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xAA638720]
SSDT A7549640 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xAA63A4D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xAA638E40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xAA638AC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xAA638900]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA69A620]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xAA6381A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xAA63A7F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xAA63B400]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4988 12 Bytes [C0, 92, 63, AA, 80, 65, 63, ...]
.text ntoskrnl.exe!ZwYieldExecution + 3CA 804E4C24 2 Bytes [C0, 83]
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 2 Bytes [40, 8E]
.text ntoskrnl.exe!ZwYieldExecution + 471 804E4CCB 5 Bytes [AA, 00, 89, 63, AA]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[112] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\svchost.exe[176] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\csrss.exe[476] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\ctfmon.exe[480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C70001
.text C:\WINDOWS\system32\ctfmon.exe[480] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[480] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[480] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[480] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[480] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[480] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\winlogon.exe[500] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\services.exe[548] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\lsass.exe[560] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[564] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text ...
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A5000C
.text C:\WINDOWS\System32\svchost.exe[936] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\System32\svchost.exe[936] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[936] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E6000A
.text C:\WINDOWS\AGRSMMSG.exe[972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00260001
.text C:\WINDOWS\AGRSMMSG.exe[972] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\AGRSMMSG.exe[972] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\AGRSMMSG.exe[972] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\AGRSMMSG.exe[972] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\AGRSMMSG.exe[972] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\AGRSMMSG.exe[972] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1068] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Tall Emu\Online Armor\OAcat.exe[1184] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[1208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[1208] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[1208] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1328] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1540] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\spoolsv.exe[1604] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\System32\svchost.exe[1808] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\rundll32.exe[1868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 001B0001
.text C:\WINDOWS\system32\rundll32.exe[1868] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\rundll32.exe[1868] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\rundll32.exe[1868] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\rundll32.exe[1868] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\rundll32.exe[1868] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\rundll32.exe[1868] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\wbem\unsecapp.exe[1928] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[1980] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Mixer.exe[2072] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00160001
.text C:\WINDOWS\Mixer.exe[2072] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Mixer.exe[2072] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Mixer.exe[2072] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Mixer.exe[2072] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Mixer.exe[2072] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Mixer.exe[2072] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00260001
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2176] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2176] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2176] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2176] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\Forrest\My Documents\Downloads\i13k8tir.exe[2340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00270001
.text C:\Documents and Settings\Forrest\My Documents\Downloads\i13k8tir.exe[2340] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Forrest\My Documents\Downloads\i13k8tir.exe[2340] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Forrest\My Documents\Downloads\i13k8tir.exe[2340] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Forrest\My Documents\Downloads\i13k8tir.exe[2340] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Forrest\My Documents\Downloads\i13k8tir.exe[2340] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\Documents and Settings\Forrest\My Documents\Downloads\i13k8tir.exe[2340] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\Program Files\Vidalia Bundle\Tor\tor.exe[2376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 011F0001
.text C:\Program Files\Vidalia Bundle\Tor\tor.exe[2376] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Vidalia Bundle\Tor\tor.exe[2376] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Vidalia Bundle\Tor\tor.exe[2376] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Vidalia Bundle\Tor\tor.exe[2376] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe[2380] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00360001
.text C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe[2380] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe[2380] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe[2380] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe[2380] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 016E0001
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2556] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2556] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2556] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\Explorer.EXE[2588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0114000A
.text C:\WINDOWS\Explorer.EXE[2588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0115000A
.text C:\WINDOWS\Explorer.EXE[2588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FF000C
.text C:\WINDOWS\Explorer.EXE[2588] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00270001
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2864] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2864] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2864] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2864] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2864] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2864] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\Program Files\sony\usbsircs\usbsircs.exe[2908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D00001
.text C:\Program Files\sony\usbsircs\usbsircs.exe[2908] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\sony\usbsircs\usbsircs.exe[2908] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\sony\usbsircs\usbsircs.exe[2908] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\sony\usbsircs\usbsircs.exe[2908] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\sony\usbsircs\usbsircs.exe[2908] iphlpapi.dll!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\svchost.exe[2932] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3288] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CA0001
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3288] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3288] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3288] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3288] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3288] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3288] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04F90001
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F160F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F130F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3296] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D70001
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Messenger\msmsgs.exe[3472] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Messenger\msmsgs.exe[3472] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F160F5A
.text C:\Program Files\Messenger\msmsgs.exe[3472] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F130F5A
.text C:\Program Files\Messenger\msmsgs.exe[3472] iphlpapi.dll!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\ezSP_Px.exe[3556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00260001
.text C:\WINDOWS\System32\ezSP_Px.exe[3556] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\ezSP_Px.exe[3556] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\ezSP_Px.exe[3556] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\ezSP_Px.exe[3556] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\ezSP_Px.exe[3556] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\System32\ezSP_Px.exe[3556] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00260001
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\program files\support.com\client\bin\tgcmd.exe[3672] iphlpapi.dll!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F160F5A
.text C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe[3676] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01210001
.text C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe[3676] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe[3676] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe[3676] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe[3676] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01350001
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3832] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3832] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3832] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3852] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CF0001
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3852] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3852] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3852] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3852] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3852] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 5F130F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3852] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00270001
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4080] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4080] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4080] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4080] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE629300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE629360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE629610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EE629650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE629610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE629360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE629300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [EE629300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [EE629360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [EE629650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [EE629610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE629610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EE629650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE629300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE629360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BB-98DWA0_____________________15.05R15#4457572d414d4b45303234393939_033_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by freedom lover, 15 December 2010 - 08:48 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 15 December 2010 - 08:57 PM

There's a rootkit which must go first

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 15 December 2010 - 09:26 PM

2010/12/15 18:09:37.0093 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/15 18:09:37.0093 ================================================================================
2010/12/15 18:09:37.0093 SystemInfo:
2010/12/15 18:09:37.0093
2010/12/15 18:09:37.0093 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/15 18:09:37.0093 Product type: Workstation
2010/12/15 18:09:37.0093 ComputerName: ROCKER
2010/12/15 18:09:37.0093 UserName: Forrest
2010/12/15 18:09:37.0093 Windows directory: C:\WINDOWS
2010/12/15 18:09:37.0093 System windows directory: C:\WINDOWS
2010/12/15 18:09:37.0093 Processor architecture: Intel x86
2010/12/15 18:09:37.0093 Number of processors: 2
2010/12/15 18:09:37.0093 Page size: 0x1000
2010/12/15 18:09:37.0093 Boot type: Normal boot
2010/12/15 18:09:37.0093 ================================================================================
2010/12/15 18:09:47.0171 Initialize success
2010/12/15 18:10:11.0468 ================================================================================
2010/12/15 18:10:11.0468 Scan started
2010/12/15 18:10:11.0468 Mode: Manual;
2010/12/15 18:10:11.0468 ================================================================================
2010/12/15 18:10:13.0890 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2010/12/15 18:10:14.0234 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/15 18:10:14.0390 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/15 18:10:14.0593 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/12/15 18:10:14.0718 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/12/15 18:10:14.0875 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/15 18:10:15.0062 AgereSoftModem (f1a97570ea402493bcc22246e8141ae6) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/12/15 18:10:15.0296 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/15 18:10:15.0828 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/15 18:10:16.0203 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/15 18:10:16.0328 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/15 18:10:16.0531 ati2mtag (8a4bb7291606fba4eaafd7b5604255a4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/15 18:10:16.0718 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/15 18:10:16.0875 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/15 18:10:17.0015 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2010/12/15 18:10:17.0140 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/15 18:10:17.0296 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/12/15 18:10:17.0437 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/12/15 18:10:17.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/15 18:10:17.0718 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/15 18:10:17.0843 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/15 18:10:18.0062 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/15 18:10:18.0187 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/15 18:10:18.0390 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/15 18:10:18.0828 cmpci (e5842ccf0953d3d46d5e26427b67e901) C:\WINDOWS\system32\drivers\cmaudio.sys
2010/12/15 18:10:19.0250 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/15 18:10:19.0406 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/15 18:10:19.0609 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
2010/12/15 18:10:19.0750 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/15 18:10:19.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/15 18:10:20.0031 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/15 18:10:20.0250 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/15 18:10:20.0390 E1000 (2476936f4994e9084ccfe75ed4f6226a) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/12/15 18:10:20.0546 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/15 18:10:20.0796 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2010/12/15 18:10:20.0937 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/15 18:10:21.0109 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/15 18:10:21.0265 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/15 18:10:21.0390 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/15 18:10:21.0515 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/15 18:10:21.0640 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/15 18:10:21.0796 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/15 18:10:21.0921 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/12/15 18:10:22.0078 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/15 18:10:22.0218 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/15 18:10:22.0437 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/15 18:10:22.0718 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/15 18:10:22.0843 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/15 18:10:22.0984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/15 18:10:23.0250 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/15 18:10:23.0390 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/15 18:10:23.0531 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/15 18:10:23.0671 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/15 18:10:23.0796 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/15 18:10:23.0953 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/15 18:10:24.0093 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/15 18:10:24.0203 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/15 18:10:24.0343 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/15 18:10:24.0484 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/15 18:10:24.0640 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/15 18:10:24.0812 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/12/15 18:10:25.0062 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/15 18:10:25.0187 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/15 18:10:25.0343 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/15 18:10:25.0453 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/15 18:10:25.0578 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/15 18:10:25.0796 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/15 18:10:25.0968 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/15 18:10:26.0171 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2010/12/15 18:10:26.0281 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/15 18:10:26.0437 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/15 18:10:26.0562 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/15 18:10:26.0687 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/15 18:10:26.0843 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/15 18:10:26.0984 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/15 18:10:27.0109 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/15 18:10:27.0234 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/15 18:10:27.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/15 18:10:27.0562 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/15 18:10:27.0671 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/15 18:10:27.0781 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/15 18:10:27.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/15 18:10:28.0078 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/15 18:10:28.0187 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/15 18:10:28.0312 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/15 18:10:28.0515 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/15 18:10:28.0656 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/15 18:10:28.0812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/15 18:10:29.0000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/15 18:10:29.0203 nv (c36066ec30521cebaf52127027755798) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/15 18:10:29.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/15 18:10:29.0546 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/15 18:10:29.0671 OADevice (6b31008d68f2cb6963c8ab6c72163fcd) C:\WINDOWS\system32\drivers\OADriver.sys
2010/12/15 18:10:29.0828 OAmon (50ae8ba5afa0558aecc94a6189c1b744) C:\WINDOWS\system32\drivers\OAmon.sys
2010/12/15 18:10:30.0015 OAnet (b7ac33e13be4922389e4d441b52b4e69) C:\WINDOWS\system32\drivers\OAnet.sys
2010/12/15 18:10:30.0156 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/15 18:10:30.0296 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/15 18:10:30.0437 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/15 18:10:30.0546 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/15 18:10:30.0656 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/15 18:10:30.0843 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/15 18:10:30.0953 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/15 18:10:31.0562 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/15 18:10:31.0671 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/15 18:10:31.0796 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/15 18:10:31.0937 PxHelp20 (352cf968df88760fef225c3fbe7184a7) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/12/15 18:10:32.0421 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/15 18:10:32.0546 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/15 18:10:33.0093 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/15 18:10:33.0250 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/15 18:10:33.0375 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/15 18:10:33.0625 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/15 18:10:34.0015 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/15 18:10:34.0328 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/15 18:10:34.0546 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/15 18:10:34.0640 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/15 18:10:34.0796 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/15 18:10:34.0968 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/15 18:10:35.0171 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/15 18:10:35.0437 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/15 18:10:35.0609 smrt (9bb8a2957071abd9460a7ee0976e09b3) C:\WINDOWS\system32\DRIVERS\smrt.sys
2010/12/15 18:10:35.0812 smwdm (13739b36bd8d94d0fed7662aa7a4235d) C:\WINDOWS\system32\drivers\smwdm.sys
2010/12/15 18:10:36.0062 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/15 18:10:36.0187 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/15 18:10:36.0359 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/15 18:10:36.0531 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/12/15 18:10:36.0671 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/15 18:10:36.0812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/15 18:10:36.0937 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/15 18:10:37.0234 SymEvent (05d9613efe7809e384c10da26958dfa4) C:\Program Files\Symantec\SYMEVENT.SYS
2010/12/15 18:10:37.0421 SYMREDRV (cf61625af7f5aca7a2bfe7d6059912ec) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/12/15 18:10:37.0546 SYMTDI (9e02eaeee78a5c9812f17ea80f3653d9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/12/15 18:10:37.0828 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/15 18:10:37.0984 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/15 18:10:38.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/15 18:10:38.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/15 18:10:38.0437 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/15 18:10:38.0656 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/15 18:10:38.0859 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/15 18:10:39.0062 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/12/15 18:10:39.0203 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/15 18:10:39.0375 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/15 18:10:39.0531 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/15 18:10:39.0671 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/15 18:10:39.0812 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/15 18:10:40.0015 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/15 18:10:40.0203 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/15 18:10:40.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/15 18:10:40.0640 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/15 18:10:40.0859 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/15 18:10:41.0000 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/15 18:10:41.0125 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/15 18:10:41.0281 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
2010/12/15 18:10:41.0468 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
2010/12/15 18:10:41.0546 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/15 18:10:41.0609 ================================================================================
2010/12/15 18:10:41.0609 Scan finished
2010/12/15 18:10:41.0609 ================================================================================
2010/12/15 18:10:41.0640 Detected object count: 1
2010/12/15 18:12:51.0156 \HardDisk0 - will be cured after reboot
2010/12/15 18:12:51.0156 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/15 18:14:50.0109 Deinitialize success

#6 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 15 December 2010 - 09:34 PM

it appears to have done the trick...two for two on booting into windows...and no google search redirections either...so it is looking pretty good at this point...

:clapping:

:thumbsup:

thank you!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 16 December 2010 - 09:29 PM

Please run Combofix now

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 22 December 2010 - 09:46 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#9 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 22 December 2010 - 10:49 PM

my apologies...I was out of town for a week...so I couldn't respond...here you go:


ComboFix 10-12-22.01 - Forrest 12/22/2010 18:48:24.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.368 [GMT -8:00]
Running from: c:\documents and settings\Forrest\Desktop\ComFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\Forrest\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Forrest\Application Data\Adobe\plugs
c:\documents and settings\Forrest\Application Data\Adobe\plugs\KB5941984.exe
c:\documents and settings\Forrest\Application Data\Adobe\plugs\KB5967312.exe
c:\documents and settings\Forrest\Local Settings\Application Data\{8E203739-0E8F-416B-874C-594BE169D231}
c:\documents and settings\Forrest\Local Settings\Application Data\{8E203739-0E8F-416B-874C-594BE169D231}\chrome.manifest
c:\documents and settings\Forrest\Local Settings\Application Data\{8E203739-0E8F-416B-874C-594BE169D231}\chrome\content\_cfg.js
c:\documents and settings\Forrest\Local Settings\Application Data\{8E203739-0E8F-416B-874C-594BE169D231}\chrome\content\overlay.xul
c:\documents and settings\Forrest\Local Settings\Application Data\{8E203739-0E8F-416B-874C-594BE169D231}\install.rdf
c:\program files\Internet Explorer\SET2DD.tmp
c:\program files\Internet Explorer\SET2DE.tmp
c:\windows\explorer(2).exe
c:\windows\ikowobozeyesoguf.dll
c:\windows\kbdmglp.dll
c:\windows\system32\Oeminfo.ini
c:\windows\system32\SET1BE.tmp
c:\windows\system32\SET41C.tmp
c:\windows\system32\usp10(2).dll
K:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-11-23 to 2010-12-23 )))))))))))))))))))))))))))))))
.

2010-12-16 06:47 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 06:46 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-13 06:52 . 2010-12-13 06:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-09 16:03 . 2010-12-09 16:03 -------- d-----w- c:\documents and settings\Soula\Local Settings\Application Data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}
2010-12-07 05:20 . 2010-12-07 05:20 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-12-07 04:02 . 2010-12-07 04:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-12-03 01:23 . 2010-12-03 01:23 -------- d-----w- c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com
2010-12-03 01:23 . 2010-12-03 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-03 01:22 . 2010-12-16 02:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-02 00:39 . 2010-12-02 00:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\OnlineArmor
2010-12-02 00:38 . 2010-12-02 00:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-12-01 02:18 . 2010-12-01 02:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-30 12:22 . 2010-11-30 12:22 -------- d-----w- c:\documents and settings\Forrest\Application Data\Acapela Group
2010-11-30 12:21 . 2010-11-30 12:21 -------- d-----w- c:\documents and settings\Forrest\Local Settings\Application Data\Xtranormal
2010-11-30 12:13 . 2010-11-30 12:45 -------- d-----w- c:\program files\Xtranormal
2010-11-30 12:12 . 2010-11-30 12:22 -------- d-----w- c:\documents and settings\Forrest\Application Data\Xtranormal
2010-11-28 13:52 . 2010-12-23 01:42 0 ----a-w- c:\windows\Ujoxazadahigusu.bin
2010-11-28 13:50 . 2009-03-08 11:31 45568 ----a-w- c:\program files\Mozilla Firefox\YCemSCi.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2003-12-02 01:34 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2003-12-02 00:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-12-02 00:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-12-02 00:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-12-02 00:28 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2003-12-02 00:28 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2003-12-02 00:28 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-07-12 5113430]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-30 328056]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-16 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]
"C-Media Mixer"="Mixer.exe" [2002-10-16 1818624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-09-06 70816]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-09-18 6503624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2009-7-31 229376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-09-18 852680]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Vidalia Bundle\\Vidalia\\vidalia.exe"=
"c:\\Program Files\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\Program Files\\Sony\\usbsircs\\USBsircs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/9/2009 9:27 PM 64160]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/7/2009 1:48 PM 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/7/2009 1:48 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/7/2009 1:48 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 6:49 AM 1029456]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/7/2009 1:48 PM 1244360]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/7/2009 1:48 PM 3184328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:28]

2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-08-06 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-02 00:12]

2009-08-11 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-02 00:12]

2009-07-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-07-31 01:38]

2010-12-22 c:\windows\Tasks\User_Feed_Synchronization-{337A1032-78F0-4BF2-A5E2-0508B6DD1878}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\www.update
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Forrest\Application Data\Mozilla\Firefox\Profiles\xjb7zysc.default\
FF - prefs.js: browser.startup.homepage - hxxp://freesouljah.com/click/index.php?PHPSESSID=c960bfeb625b33caaae55b6c02eec7c0|http://freesouljah.com/news/|http://extremetracking.com/open;ref1?login=free7777|https://mail.google.com/mail/?shva=1#inbox|http://whos.amung.us/stats/readers/c7wikkg2seo1/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Hyperwords: {9A752782-D706-479b-98F8-3F66BF921692} - %profile%\extensions\{9A752782-D706-479b-98F8-3F66BF921692}
FF - Ext: Context Highlight: {8051A235-3BDB-4450-9C02-8CD8C6F9E2CB} - %profile%\extensions\{8051A235-3BDB-4450-9C02-8CD8C6F9E2CB}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: XULRunner: {7F0A0742-7223-4DF7-8B33-3B6E345557A5} - c:\documents and settings\Soula\Local Settings\Application Data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Hlebitexetedabe - c:\windows\kbdmglp.dll
HKLM-Run-Jlayatiqefame - c:\windows\ikowobozeyesoguf.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,eb,8c,b7,05,d9,c0,4a,88,8d,4e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,eb,8c,b7,05,d9,c0,4a,88,8d,4e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2172)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\Mixer.exe
c:\program files\Vidalia Bundle\Tor\tor.exe
.
**************************************************************************
.
Completion time: 2010-12-22 19:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-23 03:28

Pre-Run: 10,916,929,536 bytes free
Post-Run: 14,696,542,208 bytes free

- - End Of File - - BC26CA4C56156BA33DE5D9C0C9A267F8

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 23 December 2010 - 05:06 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\windows\Ujoxazadahigusu.bin

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please let me know, also, if the redirects have stopped
Posted Image
m0le is a proud member of UNITE

#11 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 23 December 2010 - 09:02 PM

no redirects to speak of...after a few tests...




ComboFix 10-12-23.02 - Forrest 12/23/2010 17:38:29.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.570 [GMT -8:00]
Running from: c:\documents and settings\Forrest\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Forrest\Desktop\CFScript.txt
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"c:\windows\Ujoxazadahigusu.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Soula\Local Settings\Application Data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}
c:\documents and settings\Soula\Local Settings\Application Data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}\chrome.manifest
c:\documents and settings\Soula\Local Settings\Application Data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}\chrome\content\_cfg.js
c:\documents and settings\Soula\Local Settings\Application Data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}\chrome\content\overlay.xul
c:\documents and settings\Soula\Local Settings\Application Data\{7F0A0742-7223-4DF7-8B33-3B6E345557A5}\install.rdf
c:\windows\Ujoxazadahigusu.bin

.
((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2010-12-23 02:42 . 2010-12-23 03:30 -------- d-----w- C:\ComFix
2010-12-16 06:47 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 06:46 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-13 06:52 . 2010-12-13 06:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-07 05:20 . 2010-12-07 05:20 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-12-07 04:02 . 2010-12-07 04:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-12-03 01:23 . 2010-12-03 01:23 -------- d-----w- c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com
2010-12-03 01:23 . 2010-12-03 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-03 01:22 . 2010-12-16 02:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-02 00:39 . 2010-12-02 00:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\OnlineArmor
2010-12-02 00:38 . 2010-12-02 00:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-12-01 02:18 . 2010-12-01 02:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-30 12:22 . 2010-11-30 12:22 -------- d-----w- c:\documents and settings\Forrest\Application Data\Acapela Group
2010-11-30 12:21 . 2010-11-30 12:21 -------- d-----w- c:\documents and settings\Forrest\Local Settings\Application Data\Xtranormal
2010-11-30 12:13 . 2010-11-30 12:45 -------- d-----w- c:\program files\Xtranormal
2010-11-30 12:12 . 2010-11-30 12:22 -------- d-----w- c:\documents and settings\Forrest\Application Data\Xtranormal
2010-11-28 13:50 . 2009-03-08 11:31 45568 ----a-w- c:\program files\Mozilla Firefox\YCemSCi.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2003-12-02 01:34 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2003-12-02 00:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-12-02 00:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-12-02 00:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-12-02 00:28 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2003-12-02 00:28 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2003-12-02 00:28 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-07-12 5113430]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-30 328056]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-16 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]
"C-Media Mixer"="Mixer.exe" [2002-10-16 1818624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-09-06 70816]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-09-18 6503624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2009-7-31 229376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-09-18 852680]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Vidalia Bundle\\Vidalia\\vidalia.exe"=
"c:\\Program Files\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\Program Files\\Sony\\usbsircs\\USBsircs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/9/2009 9:27 PM 64160]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/7/2009 1:48 PM 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/7/2009 1:48 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/7/2009 1:48 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 6:49 AM 1029456]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/7/2009 1:48 PM 1244360]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/7/2009 1:48 PM 3184328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:28]

2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-08-06 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-02 00:12]

2009-08-11 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-02 00:12]

2009-07-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-07-31 01:38]

2010-12-23 c:\windows\Tasks\User_Feed_Synchronization-{337A1032-78F0-4BF2-A5E2-0508B6DD1878}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\www.update
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Forrest\Application Data\Mozilla\Firefox\Profiles\xjb7zysc.default\
FF - prefs.js: browser.startup.homepage - hxxp://freesouljah.com/click/index.php?PHPSESSID=c960bfeb625b33caaae55b6c02eec7c0|http://freesouljah.com/news/|http://extremetracking.com/open;ref1?login=free7777|https://mail.google.com/mail/?shva=1#inbox|http://whos.amung.us/stats/readers/c7wikkg2seo1/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Hyperwords: {9A752782-D706-479b-98F8-3F66BF921692} - %profile%\extensions\{9A752782-D706-479b-98F8-3F66BF921692}
FF - Ext: Context Highlight: {8051A235-3BDB-4450-9C02-8CD8C6F9E2CB} - %profile%\extensions\{8051A235-3BDB-4450-9C02-8CD8C6F9E2CB}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-23 17:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-12-23 17:58:22
ComboFix-quarantined-files.txt 2010-12-24 01:58
ComboFix2.txt 2010-12-23 03:29

Pre-Run: 14,791,565,312 bytes free
Post-Run: 14,823,272,448 bytes free

- - End Of File - - A1091FC6DB382030F383E186205E730B

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 23 December 2010 - 09:30 PM

Keep surfing but run ESET's online scan next

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 26 December 2010 - 09:39 PM

How's that going?
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 PM

Posted 27 December 2010 - 08:08 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users