Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine redirect virus / slow computer


  • This topic is locked This topic is locked
24 replies to this topic

#1 draziled

draziled

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 13 December 2010 - 07:11 PM

Hello, My computer has a search engine redirect virus and is running much more slowy. The symptoms seem to exactly match those of another person's computer you've helped here - http://www.bleepingcomputer.com/forums/topic340808.html- which is how I found bleeping computer. I get redirected no mater what search engine I use, and the sites Tazinga and campus courner have come up repeatedly. I greatly appreciate what you do here and would love for you to help.

I ran DDS and GMER once before, on December 3rd but did not make a post. I ran them again today so they would be the most accurate, I hope that doesn't mess anything up, the new GMER is smaller.

Here is GMER

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-13 18:03:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000032 WDC_WD800BB-00JHC0 rev.05.01C05
Running: gmer.exe; Driver: C:\DOCUME~1\Fishers\LOCALS~1\Temp\kxkirpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF77126C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF7712770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7712810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF77128B0]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF77C9A0C]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5E62360, 0x32DEFD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1204] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0174000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1592] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0175000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1592] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0173000C
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E000A
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009D000C
.text C:\WINDOWS\System32\svchost.exe[1876] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1876] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E5000A
.text C:\WINDOWS\Explorer.EXE[1884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\Explorer.EXE[1884] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[1884] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CF000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus -> DriverStartIo \Device\00000065 86D89AEA
Device \Driver\nvatabus -> DriverStartIo \Device\00000066 86D89AEA

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus -> DriverStartIo \Device\NvAta0 86D89AEA

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \Device\00000064 -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Cookies\system@www.dailymotion[2].txt 442 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CA8AEC1I.txt 177 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CA8AZV6T.txt 201 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CAR1R5ON.txt 124 bytes
File C:\Documents and Settings\LocalService\Cookies\system@ads.undertone[7].txt 670 bytes
File C:\Documents and Settings\LocalService\Cookies\system@pictela[1].txt 109 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CA005CI9.txt 721 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CA2EM9NW.txt 575 bytes
File C:\Documents and Settings\LocalService\Cookies\system@fwmrm[9].txt 828 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CAGSZEZJ.txt 459 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CAJOFW41.txt 673 bytes
File C:\Documents and Settings\LocalService\Cookies\system@CAVU2UUZ.txt 108 bytes

---- EOF - GMER 1.0.15 ----

Here is DDS


DDS (Ver_10-11-27.01) - NTFSx86
Run by Fishers at 15:55:24.17 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.231 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Fishers\My Documents\Downloads\gmer\gmer.exe
C:\Documents and Settings\Fishers\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [{0189DC8F-B665-66A1-DB76-0ACAFC046281}] "c:\documents and settings\fishers\application data\yrwa\xymyg.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60637&p=
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}\components\Engine.dll
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Extension: Cooliris: piclens@cooliris.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com
FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Extension: Free Rice: {21b78c3b-03ce-4adb-8cd0-e93603f1a0c9} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\noia2_option@kk.noia
FF - Extension: InvisibleHand: canitbecheaper@trafficbroker.co.uk - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\canitbecheaper@trafficbroker.co.uk
FF - Extension: SimilarWeb: FirefoxAddon@similarWeb.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\FirefoxAddon@similarWeb.com
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-5 38224]

=============== Created Last 30 ================

2010-12-03 03:39:01 -------- d-----w- c:\docume~1\fishers\applic~1\Tyly
2010-12-03 03:39:00 -------- d-----w- c:\docume~1\fishers\applic~1\Yrwa
2010-11-23 03:26:23 -------- d-----w- c:\docume~1\fishers\applic~1\W Photo Studio
2010-11-23 03:25:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Walgreens
2010-11-23 03:25:55 -------- d-----w- c:\docume~1\fishers\applic~1\Walgreens
2010-11-23 03:25:51 -------- d-----w- c:\program files\common files\HP
2010-11-23 03:25:48 -------- d-----w- c:\program files\Walgreens
2010-11-23 03:21:14 -------- d-----w- c:\docume~1\fishers\applic~1\W Photo Studio Viewer

==================== Find3M ====================

2010-12-07 06:18:04 14274 ----a-w- c:\windows\system32\mstsc.exe
2010-10-05 01:01:48 275 ----a-w- c:\docume~1\fishers\applic~1\srsf.bat

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00JHC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D89EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8544e872; SUB DWORD [EBP-0x4], 0x8544e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F11AB8]
3 CLASSPNP[0xF75B0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000067[0x86F154A0]
5 ACPI[0xF7427620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86F64030]
[0x86E49A40] -> IRP_MJ_CREATE -> 0x86D89EC5
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000064 -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:57:18.67 ===============

Thank you!

BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 22 December 2010 - 02:24 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here or here
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 25 December 2010 - 01:15 PM

draziled? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 28 December 2010 - 02:12 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send a Private Message to any Moderator or the Malware Helper who replied to you here and ask them to reopen this topic within the next 5 days.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 30 December 2010 - 12:28 AM

Thread reopened due to OP's request.

Hi draziled.

Go ahead and follow the instructions from post #2 of the thread and we'll get working on your computer. :)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 draziled

draziled
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 December 2010 - 11:54 PM

Thank you for understanding. Here is the DDS

DDS (Ver_10-12-12.02) - NTFSx86
Run by Fishers at 18:30:49.09 on Thu 12/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.409 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Fishers\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:62808
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60637&p=
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}\components\Engine.dll
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Free Rice: {21b78c3b-03ce-4adb-8cd0-e93603f1a0c9} - %profile%\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
FF - Ext: SimilarWeb: FirefoxAddon@similarWeb.com - %profile%\extensions\FirefoxAddon@similarWeb.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-12-03 03:39:01 -------- d-----w- c:\docume~1\fishers\applic~1\Tyly
2010-12-03 03:39:00 -------- d-----w- c:\docume~1\fishers\applic~1\Yrwa

==================== Find3M ====================

2010-12-07 06:18:04 14274 ----a-w- c:\windows\system32\mstsc.exe
2010-10-05 01:01:48 275 ----a-w- c:\docume~1\fishers\applic~1\srsf.bat

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00JHC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D95EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8544e872; SUB DWORD [EBP-0x4], 0x8544e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F2EAB8]
3 CLASSPNP[0xF75B0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000066[0x86F43710]
5 ACPI[0xF7427620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86F2F030]
[0x86C2BA18] -> IRP_MJ_CREATE -> 0x86D95EC5
error: Read The device is not ready.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000063 -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:32:49.68 ===============

Here is the GMER

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-25 09:10:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000032 WDC_WD800BB-00JHC0 rev.05.01C05
Running: gmer.exe; Driver: C:\DOCUME~1\Fishers\LOCALS~1\Temp\kxkirpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA4196C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xBA419770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA419810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA4198B0]

---- Kernel code sections - GMER 1.0.15 ----

? vusjvkmx.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF77A9A0C]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6001360, 0x32DEFD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[96] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E5000A
.text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E6000A
.text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E4000C
.text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1316] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 016F000A
.text C:\WINDOWS\Explorer.EXE[1812] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[1812] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1812] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus -> DriverStartIo \Device\00000064 86D96AEA
Device \Driver\nvatabus -> DriverStartIo \Device\00000065 86D96AEA

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus -> DriverStartIo \Device\NvAta0 86D96AEA

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \Device\00000063 -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\super-story;comp=;pos=right1;tile=2;sz=300x250;page=173826;teams=bostonceltics,losangeleslakers;tag=roadblock;ord=2090778196965670[1].2 465 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\20101115_Hol_Innov_Package_v2_728x90[1].swf 39406 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\search[1].js 870 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\odds[1] 7904 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\BrightcoveBootloader[1].swf 1409 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\btn_talk[1].gif 564 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\deliver2[1].htm 8983 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\andard;sz=728x90;tile=1;dcopt=off;u=!category-expand%7Cpos-atf%7Ccat-2%7Ctag-adj%7Cmtype-standard%7Csz-728x90%7Ctile-1%7Cdcopt-off;ord=826089574403357000[1] 3494 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\634218065400000000[1].jpg 8173 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\footer_girl1[1].png 31394 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\scb_mid[1].gif 146 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\parentsconnect-site-logo[1].png 9134 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\AdId=1320500;BnId=1;ct=3674988765;st=855;adcid=1;itime=261277156;reqtype=5[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\kvvchoiceselect%3Dtrue%3B%3B%3Bkvtakeover%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=1637838;sub2=1637840;sub3=1637839;sub4=1637837;misc=792164924[1] 6072 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\dotted-light-500[1].gif 84 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2U0LLHK1\1pix[1].gif 49 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\marshmallow-poppers_160[1].jpg 17261 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\jsapi[2] 20383 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\RequestSender[1].swf 8700 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\watch_movies[2].htm 22631 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\bannerInc[1].js 28110 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\AdId=1326202;BnId=1;ct=1474674523;st=629;adcid=1;itime=263372880;reqtype=5;kr4091=295194;kvq=d;kr4090=105169;kp=110683[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\21_600x350_popup_bg[1].jpg 80715 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\2394b954b6bd5dd7726e95e50c07a0c5[1].mp4 722507 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\indexCALA202A.gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\indexCAY1FDNF.gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\impCA91HOW6 1067 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\1CA7IBCG3.htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\camel_728x90_v2[1].swf 36572 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\cardboard-barn_160[1].jpg 18231 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\gamethumb2[1].gif 565 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\acudeo[10].swf 241507 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\crossdomainCAM4IBT5.xml 258 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\setter[1].cfm 256 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\setter[2].cfm 385 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\xd_receiver[5].htm 591 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\XRvcGlhX0hvbWVwYWdlXzcyOHg5MPgC8tEekAPoApgD8AGoAwHgBAE%26num%3D0%26sig%3DAGiWqty2roQVwL_WmID5FQ52_DNTg80dRQ%26client%3Dca-pub-8935024775446053%26adurl%3D[1] 31754 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\jstags[1].htm 1060 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\init[1].js 4288 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\interact[1].txt 6 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\i[1].js 5866 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\play-free-flash-game-captbraidy2[1].jpg 2457 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\play-free-flash-game-swarm2[1].jpg 30500 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\play-free-flash-game-trn47[1].jpg 14318 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\play-free-flash-game-zombie-invaders[1].jpg 25367 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\play-free-shooter-flash-game-skeet-shooting[1].jpg 3512 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\play-free-sports-flash-game-muay-thai[1].jpg 5078 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\rue%3Bkvvchoiceselect%3Dtrue%3B%3B%3Bkvtakeover%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=367332;sub2=367330;sub3=367329;sub4=367331;misc=258499728[1] 6035 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\rue%3Bkvvchoiceselect%3Dtrue%3B%3B%3Bkvtakeover%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=367332;sub2=367330;sub3=367329;sub4=367331;misc=804334434[1] 6035 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\rue%3Bkvvchoiceselect%3Dtrue%3B%3B%3Bkvtakeover%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=367332;sub2=367330;sub3=367329;sub4=367331;misc=967001569[1] 6035 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\p_22166_184_220[1].jpg 4497 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\p_22659_184_220[1].jpg 5102 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\dot[4].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\EWTRACK_NEW_I[1] 3 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\EWTRACK_TIME[1] 3 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\ewtrack_v[1].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\ewtrack_wesupport[1].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\spacer[1].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\video_player[2].css 4870 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\video_player_bg[1].png 16253 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\353[1].gif 62 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\clickenc=;ord=1293263493[1].htm 9840 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\adsCAHIW5XI 616 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\adsCAK153R3 616 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\adsCAS1SJ5C 616 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\log[7].gif 42 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\al[2].asp 38 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\flexcrollstyles[1].css 1351 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\fl[1].js 3139 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\beacons[1].txt 72 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\beacons[2].txt 72 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\1x1Pixel[1].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\logCAB6YR6S 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\;subnid=1;bnid=1;adid=1326202;header=yes;misc=698244477;dn0%25=1[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\;subnid=1;bnid=1;adid=1356206;header=yes;misc=263416239;dn25%25=1[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E0D64CHT\logCAWEPMY4 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FNUNDHD5\rm[1].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\acudeo[10].swf 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\twelve_dvd_unexpanded[1].flv 866604 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\jquery-1.4.2.min_plus_ui[1].js 92659 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\kvvchoiceselect%3Dtrue%3B%3B%3Bkvtakeover%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=1243089;sub2=1243092;sub3=1243088;sub4=1243090;misc=132672856[1] 7168 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\kvvchoiceselect%3Dtrue%3B%3B%3Bkvtakeover%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=1275146;sub2=1275145;sub3=1275144;sub4=1275148;misc=225916097[1] 6060 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\box-upper[1].png 1052 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\similarsites_com[1].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\4bd7244f6a577[1].xml 1840 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\4f63c1778306eda0715b16400580e809[1].png 10914 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\502a2bfb3f6276c8b7a6ccd70e1f308e[1].png 11005 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\714f1024b9f051c76e619aef97042a23[1].png 12635 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\75a1198bc1e2813e5954c5d696ab73af[1].png 12173 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\st[1].htm 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\56a08441d98d321ad448ce44e25b571c[1].png 9201 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\5b92c0996bb8a464357f705bbc91e415[1].png 11799 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\search[2].htm 749 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\search_bg[1].gif 2645 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\ngb_tv[1].txt 6426 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\281e2abd45ce3b0f8dd6f0fa818511f2[1].png 10333 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\c7abaecd0132f505bfaaa7e632c854ea[1].png 10515 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\d3e32a81504e677465c82cc2aa0300c5[1].png 11030 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\d5cc473c908ab1c1931f3d39321f47c8[1].png 12243 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\d7b94a087c30511418f714c7bb25f92d[1].png 11091 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\d83d983b60c5707e7a5e9b7c936f7680[1].png 10782 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\NYC_FoodBank_Button[1].jpg 22240 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\a290d28fa6d554653d5f3ce71e83273f[1].png 6481 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\a2d9539898c1e01e3af1a5cc8fc1365d[1].png 12236 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\1578ef4e22dedc5cc1a5c4d89083d618[1].png 6368 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\16-BOSE_Pixel[1].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\tab_topsite_icon[1].png 597 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\xml[2].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293265521911[1] 726 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293265527473[1] 582 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293265549989[1] 582 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293265550942[1] 582 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293265578317[1] 862 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293265689286[1] 582 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\606a21e9a2ff1527230bbfa63a5be157[1].png 12858 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\62ffd70c2840e45e04c7f4cd33a65d5c[1].png 10629 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\641d9deebea5bdfac3a6b42ca95e3f99[1].png 8926 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\Q3FY11_VideoWave_300x250_Static[1].gif 20473 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\RCN%20GLAAD%20Awards%202010[1].jpg 7114 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\rcn_logo[1].jpg 23841 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\RCN_NGB[1].jpg 99855 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\AdId=1326202;BnId=1;ct=3637700845;st=595;adcid=1;itime=265534754;reqtype=5;kr4091=295194;kvq=d;kr4090=105169;kp=110683[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\AdId=1358998;BnId=1;ct=3624902443;st=279550;adcid=1;itime=265521139;reqtype=5[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\1x1[10].gif 49 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\81923112bddd8fb1e133b7cfb2c0a0ed[1].png 11117 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\8590acdff4050f62538b5a83196458a5[1].png 10415 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\88990b87278ccc96861a2e23e6f87ca0[1].png 11302 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\bedb4834d08a512780ac5dbb0763b37f[1].png 9532 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\bg_bottom[1].gif 1400 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\b72207d821f3f3e18913c4dea026d440[1].png 12732 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\bd0395ea71ecbccc9b9b9620d28d9d91[1].png 10767 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\20101225082635[1] 358 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5CR0ENS\MTV%20VMA%20Awards[1].jpg 6291 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\1764621708@x23[1].htm 171 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\adlink%2F5132%2F1243089%2F0%2F170%2FAdId%3D1252666%3BBnId%3D2%3Bitime%3D265842703%3Blink%3D;ord=265842703[1].htm 509 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\kvvchoiceselect%3Dtrue%3B%3B%3Bkvtakeover%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=1243089;sub2=1243092;sub3=1243088;sub4=1243090;misc=434972466[1] 7171 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\visitorCA2EJT3E.jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\fm[1].js 3276 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\pl_redcarpetnetwork[3].swf 64452 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\120101225083035@x90[1].htm 511 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\get[3].media 607 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\get[4].media 323 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\get[5].media 979 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N693OART\ad[3].gif 45 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\crossdomainCAR95RG6.xml 111 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\yb-business[1].php 8457 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\p_20362_128_72[1].jpg 2851 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\37.1[1].gif 2189 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\visitorCAWMF0XF.jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\banner999[2].css 13544 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\p_23381_128_72[1].jpg 2220 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QU5BWNU1\p_23497_128_72[1].jpg 2564 bytes

---- EOF - GMER 1.0.15 ----

The GMER took several hours to complete, mostly because of the temporary internet files. Before I was able to post these a virus prevented me from accessing the internet while at the same time I received messages from a false anti-virus virus. I ran Malware bytes in safemode, which seems to have removed the false antivirus but I still cannot use the browsers. I got a new DDS an GMER after that and transfered them over to another (this) computer with a flash drive.

#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 31 December 2010 - 02:47 AM

Your DDS and GMER logs that you posted are 5 to 7 days old. Please run DDS and GMER and get fresh logs, you can transfer them again via flash drive like you did the logs you posted. :)

Also can you post the MalwareBytes' Log you mentioned in your last message as well (I ran Malware bytes in safemode, which seems to have removed the false antivirus...)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 draziled

draziled
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 01 January 2011 - 03:03 PM

Happy new year!

Here is the new DDS


DDS (Ver_10-11-27.01) - NTFSx86
Run by Fishers at 4:01:05.35 on Sat 01/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.537 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Fishers\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:62808
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [7593718] c:\docume~1\fishers\locals~1\temp\7593718.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [tSfkTNduxrPpGPr.exe] c:\windows\temp\tSfkTNduxrPpGPr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60637&p=
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}\components\Engine.dll
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Extension: Cooliris: piclens@cooliris.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com
FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Extension: Free Rice: {21b78c3b-03ce-4adb-8cd0-e93603f1a0c9} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\noia2_option@kk.noia
FF - Extension: InvisibleHand: canitbecheaper@trafficbroker.co.uk - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\canitbecheaper@trafficbroker.co.uk
FF - Extension: SimilarWeb: FirefoxAddon@similarWeb.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\FirefoxAddon@similarWeb.com
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-12-24 01:47:08 655360 ----a-w- c:\windows\system32\update.exe
2010-12-03 03:39:01 -------- d-----w- c:\docume~1\fishers\applic~1\Tyly
2010-12-03 03:39:00 -------- d-----w- c:\docume~1\fishers\applic~1\Yrwa

==================== Find3M ====================

2010-12-07 06:18:04 14274 ----a-w- c:\windows\system32\mstsc.exe
2010-10-05 01:01:48 275 ----a-w- c:\docume~1\fishers\applic~1\srsf.bat

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00JHC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D81EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8544e872; SUB DWORD [EBP-0x4], 0x8544e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F2EAB8]
3 CLASSPNP[0xF75B0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000066[0x86F43710]
5 ACPI[0xF7427620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86F2F030]
[0x86F333C8] -> IRP_MJ_CREATE -> 0x86D81EC5
error: Read The device is not ready.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000063 -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 4:02:45.65 ===============





Here is the GMER





GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-01 12:54:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000032 WDC_WD800BB-00JHC0 rev.05.01C05
Running: gmer.exe; Driver: C:\DOCUME~1\Fishers\LOCALS~1\Temp\kxkirpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF76926C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF7692770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7692810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF76928B0]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7629A0C]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF57CA360, 0x32DEFD, 0xE8000020]
? C:\DOCUME~1\Fishers\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[864] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AC000A
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AB000C
.text C:\WINDOWS\System32\svchost.exe[1256] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 016A000A
.text C:\WINDOWS\System32\svchost.exe[1256] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0167000A
.text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus -> DriverStartIo \Device\00000064 86D81AEA
Device \Driver\nvatabus -> DriverStartIo \Device\00000065 86D81AEA

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus -> DriverStartIo \Device\NvAta0 86D81AEA

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \Device\00000063 -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----





Here are my two latest Malware bytes logs, both picked up infections






Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4749

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/23/2010 2:13:17 PM
mbam-log-2010-12-23 (14-13-17).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 222897
Time elapsed: 1 hour(s), 41 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0189dc8f-b665-66a1-db76-0acafc046281} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


This is the next



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4749

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/24/2010 10:02:26 PM
mbam-log-2010-12-24 (22-02-26).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 224533
Time elapsed: 29 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dlihipotafap (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mlpntic.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\7583671.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

#9 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 02 January 2011 - 01:14 AM

Happy New Year to you as well. :thumbup2: :thumbsup:

Please run DDS and post the Attach.txt log in your next post/reply.

Thanks. :)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#10 draziled

draziled
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 02 January 2011 - 02:19 PM

DDS (Ver_10-11-27.01) - NTFSx86
Run by Fishers at 12:41:35.48 on Sun 01/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.548 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Fishers\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:62808
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [7593718] c:\docume~1\fishers\locals~1\temp\7593718.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [tSfkTNduxrPpGPr.exe] c:\windows\temp\tSfkTNduxrPpGPr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60637&p=
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}\components\Engine.dll
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Extension: Cooliris: piclens@cooliris.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com
FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Extension: Free Rice: {21b78c3b-03ce-4adb-8cd0-e93603f1a0c9} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\noia2_option@kk.noia
FF - Extension: InvisibleHand: canitbecheaper@trafficbroker.co.uk - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\canitbecheaper@trafficbroker.co.uk
FF - Extension: SimilarWeb: FirefoxAddon@similarWeb.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\FirefoxAddon@similarWeb.com
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-12-24 01:47:08 655360 ----a-w- c:\windows\system32\update.exe

==================== Find3M ====================

2010-12-07 06:18:04 14274 ----a-w- c:\windows\system32\mstsc.exe
2010-10-05 01:01:48 275 ----a-w- c:\docume~1\fishers\applic~1\srsf.bat

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00JHC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D3AEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8544e872; SUB DWORD [EBP-0x4], 0x8544e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F2EAB8]
3 CLASSPNP[0xF75B0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000066[0x86F43710]
5 ACPI[0xF7427620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86F2F030]
[0x86B97648] -> IRP_MJ_CREATE -> 0x86D3AEC5
error: Read The device is not ready.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000063 -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:43:20.98 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/9/2009 12:47:34 PM
System Uptime: 1/2/2011 12:37:56 PM (0 hours ago)
Processor: AMD Athlon™ 64 Processor 3000+ | Socket 939 | 1808/201mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 53.937 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_16EC&DEV_2F00&SUBSYS_010A16EC&REV_01\4&13699180&0&4848
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_16EC&DEV_2F00&SUBSYS_010A16EC&REV_01\4&13699180&0&4848
Service:

==== System Restore Points ===================

RP82: 10/5/2010 6:19:24 AM - Removed AVG Free 9.0
RP83: 10/5/2010 6:19:53 AM - Installed AVG Free 9.0
RP84: 10/7/2010 1:27:11 PM - System Checkpoint
RP85: 10/11/2010 9:14:33 PM - System Checkpoint
RP86: 10/15/2010 6:47:40 PM - System Checkpoint
RP87: 10/17/2010 5:53:23 PM - System Checkpoint
RP88: 10/19/2010 1:01:58 PM - System Checkpoint
RP89: 10/22/2010 11:04:45 AM - System Checkpoint
RP90: 10/29/2010 2:41:21 PM - System Checkpoint
RP91: 11/2/2010 10:16:46 AM - System Checkpoint
RP92: 11/8/2010 11:26:22 AM - System Checkpoint
RP93: 11/10/2010 6:40:28 AM - System Checkpoint
RP94: 11/11/2010 7:27:38 PM - System Checkpoint
RP95: 11/14/2010 9:55:11 AM - System Checkpoint
RP96: 11/15/2010 11:07:24 AM - System Checkpoint
RP97: 11/17/2010 9:43:56 AM - System Checkpoint
RP98: 11/22/2010 7:19:46 PM - System Checkpoint
RP99: 11/22/2010 9:25:45 PM - Installed W Photo Studio
RP100: 11/29/2010 3:22:25 PM - System Checkpoint
RP101: 12/2/2010 5:43:36 PM - System Checkpoint
RP102: 12/4/2010 10:54:47 AM - System Checkpoint
RP103: 12/5/2010 2:36:21 PM - System Checkpoint
RP104: 12/6/2010 10:28:16 PM - System Checkpoint
RP105: 12/8/2010 4:06:38 PM - System Checkpoint
RP106: 12/9/2010 7:13:08 PM - System Checkpoint
RP107: 12/15/2010 9:14:05 AM - System Checkpoint
RP108: 12/21/2010 3:11:22 PM - System Checkpoint
RP109: 12/23/2010 11:54:12 AM - System Checkpoint
RP110: 12/24/2010 10:50:53 PM - System Checkpoint
RP111: 12/26/2010 12:05:21 PM - System Checkpoint
RP112: 1/1/2011 2:40:33 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2011
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
ExamView Pro
Google Earth
Google Update Helper
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterActual Player
iTunes
Java™ 6 Update 16
League of Legends
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
NVIDIA Drivers
NvMixer
PowerDVD
QuickTime
RealPlayer
Security Task Manager 1.7g
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype web features
Skype™ 4.1
Sonic and Knuckles
TeamSpeak 2 RC2
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
W Photo Studio
WebFldrs XP
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

1/1/2011 3:47:39 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
1/1/2011 3:47:39 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
1/1/2011 2:21:56 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

#11 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 03 January 2011 - 03:13 PM

Step # 1: Disable Windows Defender

Windows Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open Windows Defender
- Select Tools and then General Settings
- Under Real Time Protection Options uncheck Turn on real-time protection
- Select Save


If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications



Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#12 draziled

draziled
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 03 January 2011 - 06:38 PM

Here is the combofix log. I reinstalled malware bytes after it was finished, but not AVG. I havn't seen any evidence of a virus as of yet. I am able to use the internet on the infected computer again, and am using it for this post.


ComboFix 11-01-03.01 - Fishers 01/03/2011 17:01:32.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.694 [GMT -6:00]
Running from: c:\documents and settings\Fishers\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Fishers\Application Data\srsf.bat
c:\program files\SelectRebates
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\windows\system32\Update.exe

Infected copy of c:\windows\system32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mstsc.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2010-12-09 02:34 . 2010-12-09 02:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-17 2969496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-14 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
etina.exe [2010-12-2 162384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58444:TCP"= 58444:TCP:Pando Media Booster
"58444:UDP"= 58444:UDP:Pando Media Booster
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"6992:TCP"= 6992:TCP:League of Legends Launcher
"6992:UDP"= 6992:UDP:League of Legends Launcher
"6916:TCP"= 6916:TCP:League of Legends Launcher
"6916:UDP"= 6916:UDP:League of Legends Launcher
"6948:TCP"= 6948:TCP:League of Legends Launcher
"6948:UDP"= 6948:UDP:League of Legends Launcher
"6977:TCP"= 6977:TCP:League of Legends Launcher
"6977:UDP"= 6977:UDP:League of Legends Launcher
"6942:TCP"= 6942:TCP:League of Legends Launcher
"6942:UDP"= 6942:UDP:League of Legends Launcher
"6985:TCP"= 6985:TCP:League of Legends Launcher
"6985:UDP"= 6985:UDP:League of Legends Launcher
"6996:TCP"= 6996:TCP:League of Legends Launcher
"6996:UDP"= 6996:UDP:League of Legends Launcher
"6979:TCP"= 6979:TCP:League of Legends Launcher
"6979:UDP"= 6979:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6964:TCP"= 6964:TCP:League of Legends Launcher
"6964:UDP"= 6964:UDP:League of Legends Launcher

.
Contents of the 'Scheduled Tasks' folder

2010-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:62808
FF - ProfilePath - c:\documents and settings\Fishers\Application Data\Mozilla\Firefox\Profiles\lvf4ighk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60637&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Free Rice: {21b78c3b-03ce-4adb-8cd0-e93603f1a0c9} - %profile%\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
FF - Ext: SimilarWeb: FirefoxAddon@similarWeb.com - %profile%\extensions\FirefoxAddon@similarWeb.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 17:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00JHC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D73EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8544e872; SUB DWORD [EBP-0x4], 0x8544e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F76AB8]
3 CLASSPNP[0xF75B0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000061[0x86F394A0]
5 ACPI[0xF7427620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86EC9030]
[0x86B3E880] -> IRP_MJ_CREATE -> 0x86D73EC5
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000005e -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\WININET.dll
c:\windows\system32\adsldpc.dll

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Real\RealPlayer\RealPlay.exe
.
**************************************************************************
.
Completion time: 2011-01-03 17:20:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-03 23:20

Pre-Run: 58,176,897,024 bytes free
Post-Run: 59,949,318,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - AB8F538EE849615D1B2F4681DFB14667

#13 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 04 January 2011 - 02:45 AM

I reinstalled malware bytes after it was finished, but not AVG.


Ok. I'll let you know when you can reinstall AVG on your computer or if you want to replace AVG with another Anti Virus, I'll give you some options, let me know if you want to replace AVG or reinstall it. Since your computer doesn't have an AV at the moment, keep your computer off the Internet as much as possible.


Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    DDS::
    
    uInternet Settings,ProxyServer = http=127.0.0.1:62808

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Posted Image


    Note: This CFScript is for use on draziled's computer only! Do not use it on your computer.

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step # 2: Restore Proxy Settings

In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".



Step # 3: Download and Run TDSSKiller

  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

If TDSSKiller does not reboot your computer, please reboot it.

Once it has booted back up, do the following:

---------------

Run Batchfile

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.

@echo off
mbr.exe -t
start mbr.log
del %0


Double click mbrlog.bat. A window will open and close. This is normal


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. TDSSKiller Log
3. The MBRlog.bat log
4. A fresh DDS Log taken after Step 3 has been completed.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#14 draziled

draziled
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 04 January 2011 - 03:10 PM

Here is the combofix log

ComboFix 11-01-03.01 - Fishers 01/04/2011 13:26:03.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.622 [GMT -6:00]
Running from: c:\documents and settings\Fishers\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fishers\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.

2011-01-03 23:30 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-03 23:30 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-09 02:34 . 2010-12-09 02:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2011-01-03_23.13.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-04 19:35 . 2011-01-04 19:35 16384 c:\windows\temp\Perflib_Perfdata_760.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-17 2969496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-14 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
etina.exe [2010-12-2 162384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58444:TCP"= 58444:TCP:Pando Media Booster
"58444:UDP"= 58444:UDP:Pando Media Booster
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"6992:TCP"= 6992:TCP:League of Legends Launcher
"6992:UDP"= 6992:UDP:League of Legends Launcher
"6916:TCP"= 6916:TCP:League of Legends Launcher
"6916:UDP"= 6916:UDP:League of Legends Launcher
"6948:TCP"= 6948:TCP:League of Legends Launcher
"6948:UDP"= 6948:UDP:League of Legends Launcher
"6977:TCP"= 6977:TCP:League of Legends Launcher
"6977:UDP"= 6977:UDP:League of Legends Launcher
"6942:TCP"= 6942:TCP:League of Legends Launcher
"6942:UDP"= 6942:UDP:League of Legends Launcher
"6985:TCP"= 6985:TCP:League of Legends Launcher
"6985:UDP"= 6985:UDP:League of Legends Launcher
"6996:TCP"= 6996:TCP:League of Legends Launcher
"6996:UDP"= 6996:UDP:League of Legends Launcher
"6979:TCP"= 6979:TCP:League of Legends Launcher
"6979:UDP"= 6979:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6964:TCP"= 6964:TCP:League of Legends Launcher
"6964:UDP"= 6964:UDP:League of Legends Launcher

.
Contents of the 'Scheduled Tasks' folder

2010-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Fishers\Application Data\Mozilla\Firefox\Profiles\lvf4ighk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60637&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Free Rice: {21b78c3b-03ce-4adb-8cd0-e93603f1a0c9} - %profile%\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
FF - Ext: SimilarWeb: FirefoxAddon@similarWeb.com - %profile%\extensions\FirefoxAddon@similarWeb.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-04 13:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00JHC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D50EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8544e872; SUB DWORD [EBP-0x4], 0x8544e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F76AB8]
3 CLASSPNP[0xF75B0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000061[0x86F394A0]
5 ACPI[0xF7427620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86EC9030]
[0x86B89880] -> IRP_MJ_CREATE -> 0x86D50EC5
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000005e -> \??\IDE#DiskWDC_WD800BB-00JHC0______________________05.01C05#2020202057202D444D574D4144395A5439333933#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Real\RealPlayer\RealPlay.exe
.
**************************************************************************
.
Completion time: 2011-01-04 13:41:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-04 19:41
ComboFix2.txt 2011-01-03 23:20

Pre-Run: 59,961,454,592 bytes free
Post-Run: 59,984,322,560 bytes free

- - End Of File - - A99B794CFF4F1210DABEB1F8B02E8F80


Here is the TDSkiller log

2011/01/04 13:54:53.0781 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/04 13:54:53.0781 ================================================================================
2011/01/04 13:54:53.0781 SystemInfo:
2011/01/04 13:54:53.0781
2011/01/04 13:54:53.0781 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/04 13:54:53.0781 Product type: Workstation
2011/01/04 13:54:53.0781 ComputerName: FISHERS-0444D2F
2011/01/04 13:54:53.0781 UserName: Fishers
2011/01/04 13:54:53.0781 Windows directory: C:\WINDOWS
2011/01/04 13:54:53.0781 System windows directory: C:\WINDOWS
2011/01/04 13:54:53.0781 Processor architecture: Intel x86
2011/01/04 13:54:53.0781 Number of processors: 1
2011/01/04 13:54:53.0781 Page size: 0x1000
2011/01/04 13:54:53.0781 Boot type: Normal boot
2011/01/04 13:54:53.0781 ================================================================================
2011/01/04 13:54:53.0921 Initialize success
2011/01/04 13:55:22.0343 ================================================================================
2011/01/04 13:55:22.0343 Scan started
2011/01/04 13:55:22.0343 Mode: Manual;
2011/01/04 13:55:22.0343 ================================================================================
2011/01/04 13:55:23.0593 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/04 13:55:23.0687 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/04 13:55:23.0765 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/04 13:55:23.0859 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/04 13:55:24.0046 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/01/04 13:55:24.0203 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/04 13:55:24.0375 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/04 13:55:24.0421 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/04 13:55:24.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/04 13:55:24.0625 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/04 13:55:24.0718 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/04 13:55:24.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/04 13:55:24.0937 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/04 13:55:25.0000 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/04 13:55:25.0046 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/04 13:55:25.0328 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/04 13:55:25.0406 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/04 13:55:25.0515 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/04 13:55:25.0562 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/04 13:55:25.0625 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/04 13:55:25.0750 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/04 13:55:25.0812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/04 13:55:25.0921 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/04 13:55:25.0984 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/04 13:55:26.0046 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/04 13:55:26.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/04 13:55:26.0187 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/04 13:55:26.0250 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/04 13:55:26.0328 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/04 13:55:26.0390 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/04 13:55:26.0500 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/04 13:55:26.0640 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/04 13:55:26.0796 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/04 13:55:26.0859 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/04 13:55:26.0984 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/04 13:55:27.0062 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/04 13:55:27.0109 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/04 13:55:27.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/04 13:55:27.0250 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/04 13:55:27.0343 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/01/04 13:55:27.0406 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/04 13:55:27.0468 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/01/04 13:55:27.0562 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/04 13:55:27.0625 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/04 13:55:27.0687 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/04 13:55:27.0765 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/04 13:55:27.0921 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/04 13:55:27.0984 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/04 13:55:28.0078 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/04 13:55:28.0156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/04 13:55:28.0234 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/04 13:55:28.0312 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/04 13:55:28.0421 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/04 13:55:28.0484 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/04 13:55:28.0593 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/04 13:55:28.0625 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/04 13:55:28.0718 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/04 13:55:28.0765 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/04 13:55:28.0843 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/04 13:55:28.0906 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/04 13:55:28.0984 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/04 13:55:29.0031 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/04 13:55:29.0109 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/04 13:55:29.0156 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/04 13:55:29.0218 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/04 13:55:29.0265 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/04 13:55:29.0390 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/04 13:55:29.0437 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/04 13:55:29.0531 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/04 13:55:29.0609 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/04 13:55:29.0859 nv (70cb8915895ccb92ddf23ce890c4f5be) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/04 13:55:30.0109 nvatabus (a1f88223528aadbb6374132becbbdcc1) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2011/01/04 13:55:30.0171 nvax (f3d3015e52f2732042197d4edcaac2cb) C:\WINDOWS\system32\drivers\nvax.sys
2011/01/04 13:55:30.0250 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/01/04 13:55:30.0296 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/01/04 13:55:30.0390 nvnforce (6d6fd2b7035d415621acaf1e555c8b90) C:\WINDOWS\system32\drivers\nvapu.sys
2011/01/04 13:55:30.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/04 13:55:30.0640 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/04 13:55:30.0718 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/04 13:55:30.0765 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/04 13:55:30.0843 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/04 13:55:30.0906 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/04 13:55:30.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/04 13:55:31.0062 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/04 13:55:31.0125 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/04 13:55:31.0390 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/04 13:55:31.0484 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/04 13:55:31.0546 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/04 13:55:31.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/04 13:55:31.0781 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/04 13:55:31.0859 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/01/04 13:55:31.0906 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/04 13:55:31.0984 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/04 13:55:32.0046 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/04 13:55:32.0140 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/04 13:55:32.0203 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/04 13:55:32.0281 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/04 13:55:32.0359 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/04 13:55:32.0468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/04 13:55:32.0515 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/04 13:55:32.0562 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/04 13:55:32.0640 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/04 13:55:32.0734 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/04 13:55:32.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/04 13:55:32.0890 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/04 13:55:32.0984 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/04 13:55:33.0046 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/04 13:55:33.0234 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/04 13:55:33.0328 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/04 13:55:33.0406 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/04 13:55:33.0468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/04 13:55:33.0546 TermDD (82f62f7a6e2e39a7ba49af0165a0df45) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/04 13:55:33.0562 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 82f62f7a6e2e39a7ba49af0165a0df45, Fake md5: 88155247177638048422893737429d9e
2011/01/04 13:55:33.0562 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/01/04 13:55:33.0687 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/04 13:55:33.0828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/04 13:55:33.0937 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/04 13:55:34.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/04 13:55:34.0078 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/04 13:55:34.0140 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/04 13:55:34.0187 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/04 13:55:34.0281 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/04 13:55:34.0359 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/04 13:55:34.0421 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/04 13:55:34.0500 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/04 13:55:34.0578 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/04 13:55:34.0703 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/04 13:55:34.0843 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/04 13:55:34.0906 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/04 13:55:35.0046 ================================================================================
2011/01/04 13:55:35.0046 Scan finished
2011/01/04 13:55:35.0046 ================================================================================
2011/01/04 13:55:35.0062 Detected object count: 1
2011/01/04 13:56:02.0406 TermDD (82f62f7a6e2e39a7ba49af0165a0df45) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/04 13:56:02.0406 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 82f62f7a6e2e39a7ba49af0165a0df45, Fake md5: 88155247177638048422893737429d9e
2011/01/04 13:56:08.0140 Backup copy found, using it..
2011/01/04 13:56:08.0156 C:\WINDOWS\system32\DRIVERS\termdd.sys - will be cured after reboot
2011/01/04 13:56:08.0156 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Cure
2011/01/04 13:56:29.0687 Deinitialize success


The mbrlog.bat


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00JHC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\0000005e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvatabus.sys
C:\WINDOWS\system32\drivers\nvatabus.sys NVIDIA Corporation NVIDIA nForce™ IDE Driver
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F29AB8]
3 CLASSPNP[0xF75B0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000061[0x86F1BF18]
5 ACPI[0xF7415620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000005e[0x86F1B030]
kernel: MBR read successfully
user & kernel MBR OK

Here is the dds



DDS (Ver_10-11-27.01) - NTFSx86
Run by Fishers at 14:08:19.14 on Tue 01/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.677 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Fishers\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDY3NDE5NjczLUtWMys3LVhMKzEtVDQtRlA5KzYtQkFSOUcrMS1UQjkrMi1GTCs5LVFJWDErNC1YMjAxMCsyLVZJUDEwKzEtRjEwTTEwRCsy"&"prod=90"&"ver=10.0.1187
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60637&p=
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}\components\Engine.dll
FF - component: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\fishers\application data\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Extension: Cooliris: piclens@cooliris.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\piclens@cooliris.com
FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Extension: Free Rice: {21b78c3b-03ce-4adb-8cd0-e93603f1a0c9} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{21b78c3b-03ce-4adb-8cd0-e93603f1a0c9}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\noia2_option@kk.noia
FF - Extension: InvisibleHand: canitbecheaper@trafficbroker.co.uk - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\canitbecheaper@trafficbroker.co.uk
FF - Extension: SimilarWeb: FirefoxAddon@similarWeb.com - c:\docume~1\fishers\applic~1\mozilla\firefox\profiles\lvf4ighk.default\extensions\FirefoxAddon@similarWeb.com
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2011-01-03 23:30:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-03 23:30:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-03 22:56:47 -------- d-sha-r- C:\cmdcons
2011-01-03 22:37:13 98816 ----a-w- c:\windows\sed.exe
2011-01-03 22:37:13 89088 ----a-w- c:\windows\MBR.exe
2011-01-03 22:37:13 256512 ----a-w- c:\windows\PEV.exe
2011-01-03 22:37:13 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================


============= FINISH: 14:08:42.82 ===============

Attached Files



#15 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 05 January 2011 - 12:37 AM

You can go ahead and reinstall AVG now. If you want to use another AV besides AVG, let me know and I'll give you some links to a free replacement Anti Virus.


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u23.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java™ 6 Update 16

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.



Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO



Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


Post your MalwareBytes' Log in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users