Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Re-Direction Virus??


  • This topic is locked This topic is locked
31 replies to this topic

#1 IdahoBiker

IdahoBiker

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I_Da_Ho
  • Local time:03:33 AM

Posted 10 January 2011 - 02:06 AM

A Few Days ago I started getting Redirected after doing a Google Search, and clicking on a Link to a Site (4 of the interim addresses: hxxp://click.bestsearchonline.com/, hxxp://chameleon.com/, hxxp://searchpro.com, hxxp://click.fastsearchonline.com) then being taken to a New Site other than the One I had picked. Even wound up at some other search sites. I went to Google Help, and did some Research, and ended up Installing Malwarebytes, and running a Quick Scan (1st Scan came up with 3 entries, which I "Removed"), I then created a HiJack This Log, for reference.
The Problem hasn't gone away and has now expanded to other Sites I go to as well as Facebook. However. with subsequent Scans Malwarebytes is coming back with Nothing?? I have run My AV (Avast), and my AV-Backup(Spy-Bot) and also Came up with nothing, What to do??

Below is my most recent Log for Hijackthis:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:36:22 PM, on 1/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apps.facebook.com/bejeweledblitz/?gid=6900335f00ca4ca129fc1dff97cc0281&kt_type=stream&kt_ut=766110E9F907F34BAA29ABC83691ACB7&kt_st1=DailySpinGift&kt_st2=5K&kt_st3=0003&lpt=DailySpinGift-5K-0003&ref=nf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = RED
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DownloadGuardBHO - {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [WD Spindown Utility] "C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX680 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJA.EXE /FU "C:\WINDOWS\TEMP\E_S3BA.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.battle.net
O15 - Trusted Zone: *.blizzard.com
O15 - Trusted Zone: *.clearwire.net
O15 - Trusted Zone: *.diskeeper.com
O15 - Trusted Zone: *.epson.com
O15 - Trusted Zone: http://forum.icewarp.com
O15 - Trusted Zone: *.lavasoft.com
O15 - Trusted Zone: *.limewire.com
O15 - Trusted Zone: *.logitech.com
O15 - Trusted Zone: http://messaging.myspace.com
O15 - Trusted Zone: www.pof.com
O15 - Trusted Zone: http://game3.pogo.com
O15 - Trusted Zone: *.pogo.com
O15 - Trusted Zone: http://www.samsung.com
O15 - Trusted Zone: *.samsung.com
O15 - Trusted Zone: *.spybot.com
O15 - Trusted Zone: *.viewsonic.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\RpcAgentSrv.exe
O23 - Service: Uniblue DiskRescue - Uniblue - C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 9760 bytes

Edited by Orange Blossom, 12 January 2011 - 08:32 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 14 January 2011 - 12:03 PM

Download DDS by sUBs and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your Desktop and post them in your next reply



We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 IdahoBiker

IdahoBiker
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I_Da_Ho
  • Local time:03:33 AM

Posted 16 January 2011 - 03:51 AM

Did as You requested here are the Attachments for Your Viewing Pleasure, lol...
Hope I did this Right, Kind of a "Noob" on this stuff.


DDS (Ver_10-12-12.02) - NTFSx86
Run by RED at 17:15:41.75 on Fri 01/14/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

============== Running Processes ===============

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\RED\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uStart Page = hxxp://apps.facebook.com/bejeweledblitz/?gid=6900335f00ca4ca129fc1dff97cc0281&kt_type=stream&kt_ut=766110E9F907F34BAA29ABC83691ACB7&kt_st1=DailySpinGift&kt_st2=5K&kt_st3=0003&lpt=DailySpinGift-5K-0003&ref=nf
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uWindow Title = RED
uDefault_Page_URL = hxxp://www.msn.com
mWindow Title = RED
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
mWinlogon: SFCDisable=1 (0x1)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON Stylus Photo RX680 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticja.exe /fu "c:\windows\temp\E_S3BA.tmp" /EF "HKCU"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uPolicies-explorer: MaxRecentDocs = 15 (0xf)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
Trusted Zone: adobe.com
Trusted Zone: battle.net
Trusted Zone: blizzard.com
Trusted Zone: clearwire.net
Trusted Zone: diskeeper.com
Trusted Zone: epson.com
Trusted Zone: facebook.com\apps
Trusted Zone: google.com
Trusted Zone: lavasoft.com
Trusted Zone: limewire.com
Trusted Zone: logitech.com
Trusted Zone: microsoft.com\support
Trusted Zone: myspace.com\messaging
Trusted Zone: pof.com\www
Trusted Zone: pogo.com
Trusted Zone: pogo.com\game3
Trusted Zone: samsung.com
Trusted Zone: samsung.com\www
Trusted Zone: spybot.com
Trusted Zone: viewsonic.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\us.mg1.mail
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cli scecli scecli scecli scecli scecli scecli scecli scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\red\applic~1\mozilla\firefox\profiles\na85syk8.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://192.168.15.1/login.asp?1282475837691
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&q=
FF - prefs.js: keyword.url - hxxp://www.startsearcher.com/?q=
FF - plugin: c:\documents and settings\red\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - %profile%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}
FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com
FF - Ext: CraigZilla: craigzilla@studioshorts.com - %profile%\extensions\craigzilla@studioshorts.com
FF - Ext: Speed Dial: {64161300-e22b-11db-8314-0800200c9a66} - %profile%\extensions\{64161300-e22b-11db-8314-0800200c9a66}
FF - Ext: Harley Davidson: {2c088200-b973-11db-8314-0800200c9a66} - %profile%\extensions\{2c088200-b973-11db-8314-0800200c9a66}
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Amazon Wish List: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R? Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter
R? Ad-Watch Real-Time Scanner;AW Real-Time Scanner
R? Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter
R? ess;ESS Audio Driver (WDM)
R? iAimFP8;iAimFP8
R? Iprip;RIP Listener
R? Lbd;Lbd
R? LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter
R? OPE;OPE
R? OXCZXC;OXCZXC
R? Ptserli;PCTEL Serial Device Driver for INTEL
R? SandraAgentSrv;SiSoftware Deployment Agent Service
R? SITomcat;SI Tomcat
R? SITransbase;SI Transbase
R? TZOGWZD;TZOGWZD
R? Uniblue DiskRescue;Uniblue DiskRescue
S? aswFsBlk;aswFsBlk
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? NPF;NetGroup Packet Filter Driver
S? RUBotSrv;Trend Micro RUBotted Service
S? WDBtnMgrSvc.exe;WD Drive Manager Service

=============== Created Last 30 ================

2011-01-10 01:05:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2011-01-09 11:45:00 -------- d-----w- c:\docume~1\red\locals~1\applic~1\Temp
2011-01-08 02:51:07 -------- d-----w- c:\program files\WinPcap
2011-01-08 02:46:25 388096 ----a-r- c:\docume~1\red\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-07 17:56:11 -------- d-----w- c:\docume~1\red\applic~1\Malwarebytes
2011-01-07 17:55:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 17:55:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-07 17:54:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 17:54:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-01 22:06:53 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{B3ABAF49-C1FD-4E23-A5C8-1D0530D54991}
2011-01-01 22:06:40 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{942E4254-C25C-44BA-94FC-8777923F9E7B}
2011-01-01 22:05:09 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2011-01-01 22:03:46 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2010-12-24 21:32:06 75264 --sha-r- c:\windows\system32\runas8.dll
2010-12-22 22:16:14 -------- d-----w- c:\program files\Yontoo Layers Client
2010-12-22 22:16:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2010-12-22 14:05:51 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-12-22 14:05:50 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-12-22 14:05:49 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-12-22 14:05:47 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-12-22 14:05:46 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-12-22 14:05:44 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-12-22 14:05:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-12-22 14:05:38 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- c:\windows\avastSS.scr
2010-11-30 00:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-22 01:21:47 398744 ----a-r- c:\windows\system32\cpnprt2.cid

============= FINISH: 17:21:10.84 ===============

Edited by IdahoBiker, 16 January 2011 - 03:59 AM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 16 January 2011 - 10:10 AM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.




Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 IdahoBiker

IdahoBiker
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I_Da_Ho
  • Local time:03:33 AM

Posted 17 January 2011 - 06:27 PM

QUESTIONS: Before we started all this on My C:/ Drive t it showed; Documents & Settings, Program Files, WINDOWS. Now after all this It shows additional Folders, after we get Done What can I Delete, and What to Save (Move it where?) Have included a Attachment showing What is NOW in my C:/Drive...ALSO: While Running Combo-Fix I got a Microsoft Error about a Program that Had to Close PEV.exe which I have No idea what It even is?? Combo-Fix deleted the WDBtnMgr which is the Opening/Closing Program for my External HDD, shall I just Re-Install??
One More Thing, I have that New "Boot.bak" File on my C:/Drive which My Windows doesn't recognize, is it Important??
Here are the Logs as You Requested:

2011/01/17 06:53:53.0109 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/17 06:53:53.0109 ================================================================================
2011/01/17 06:53:53.0109 SystemInfo:
2011/01/17 06:53:53.0109
2011/01/17 06:53:53.0109 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/17 06:53:53.0109 Product type: Workstation
2011/01/17 06:53:53.0109 ComputerName: RED-5BE8159A847
2011/01/17 06:53:53.0156 UserName: RED
2011/01/17 06:53:53.0156 Windows directory: C:\WINDOWS
2011/01/17 06:53:53.0156 System windows directory: C:\WINDOWS
2011/01/17 06:53:53.0156 Processor architecture: Intel x86
2011/01/17 06:53:53.0156 Number of processors: 1
2011/01/17 06:53:53.0156 Page size: 0x1000
2011/01/17 06:53:53.0156 Boot type: Normal boot
2011/01/17 06:53:53.0156 ================================================================================
2011/01/17 06:54:03.0296 Initialize success
2011/01/17 06:54:16.0671 ================================================================================
2011/01/17 06:54:16.0671 Scan started
2011/01/17 06:54:16.0671 Mode: Manual;
2011/01/17 06:54:16.0671 ================================================================================
2011/01/17 06:54:17.0156 Aavmker4 (9617c34ec80274044dcd72f4c0d777e6) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/01/17 06:54:17.0796 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/01/17 06:54:18.0531 ACPI (7517e9b5fe4811cbd7712af820028cc4) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/17 06:54:19.0078 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/17 06:54:20.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/17 06:54:20.0671 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2011/01/17 06:54:21.0484 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/17 06:54:23.0640 aswFsBlk (540e2a0daa90b5bd29c1c088a7dd5ea6) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/01/17 06:54:24.0062 aswMon2 (761e9074ffa6d1f7562fd04e7be7e5d6) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/01/17 06:54:24.0562 aswRdr (1ddf53aa0fff9914e85c9f6a959dea25) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/01/17 06:54:25.0046 aswSP (c267569543a37cbfc9938856a5d038eb) C:\WINDOWS\system32\drivers\aswSP.sys
2011/01/17 06:54:25.0656 aswTdi (81f5627c7c2a79833e4f768f2ed2bd8d) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/01/17 06:54:25.0953 AsyncMac (34c951228c152a248357409cb680ce13) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/17 06:54:26.0281 atapi (65ea06f8711fb3a64ec7d323e350f456) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/17 06:54:27.0015 Atmarpc (ce372a820e4f4e808b574050ec35c049) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/17 06:54:27.0515 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/17 06:54:28.0093 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/17 06:54:28.0406 btaudio (0f249be872f618aaba8d641e81aa3d21) C:\WINDOWS\system32\drivers\btaudio.sys
2011/01/17 06:54:28.0625 BTDriver (07f0a66cfa550b13ad0674ae09e3cba0) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/01/17 06:54:28.0781 BthEnum (64e222074ae479bc49543b1e9f40ef27) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/01/17 06:54:29.0531 BTKRNL (ade37ab15c958f5db2f85431cca8763a) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/01/17 06:54:30.0109 btwhid (6beb0adaa3d2b80e6515eec5d03b7540) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2011/01/17 06:54:30.0796 BTWUSB (a01fd9851406de0870c23759e2f7b6ea) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/01/17 06:54:31.0078 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/17 06:54:31.0500 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/17 06:54:31.0765 Cdfs (3a8d04c6533a344973ba5cce5be2609b) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/17 06:54:31.0890 Cdrom (0cc13b7fe6d2f64efc82cebfe9d2b8f0) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/17 06:54:33.0312 DFUBTUSB (31273c758c6df7fc27b00be78c7220e9) C:\WINDOWS\system32\Drivers\frmupgr.sys
2011/01/17 06:54:33.0812 Disk (db7ba51015765db476457bedd53d3cfe) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/17 06:54:34.0500 dmboot (ba1f9637c50d105fb8ebe334d57bc16e) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/17 06:54:34.0812 dmio (a29d408f65291721091bc21a48ceed00) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/17 06:54:35.0093 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/17 06:54:35.0500 DMusic (0fdc464e960b5c9665d89fe00bc972a3) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/17 06:54:36.0156 drmkaud (6d5ca8474cf00a2765b6d6b35a57e89c) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/17 06:54:36.0375 EL90XBC (b61eaf446adf55cc0d0d5c5bbd3d1cae) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/01/17 06:54:36.0671 ess (ab570fb40832bee65f4d90a7f02792bf) C:\WINDOWS\system32\drivers\ess.sys
2011/01/17 06:54:36.0953 Fastfat (bb9c87cc84a747f68c4d0e24d5841e61) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/17 06:54:37.0234 Fdc (bafd3cc668a29f5070da63469c273127) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/17 06:54:37.0875 Fips (cd7388a0e1f2585d0300c9533f4de221) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/17 06:54:38.0109 Flpydisk (50cd9634d0d4e6c9c6e2e8ea27f8e2f6) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/17 06:54:38.0468 FltMgr (d1338fb4160e250ae8a9202f8ac3860f) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/17 06:54:38.0750 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/17 06:54:39.0031 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/17 06:54:39.0328 gameenum (ddfb584551398e0d074d68d94c236e55) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/01/17 06:54:39.0750 Gpc (8c7faa02a68d9eef68287a2842bb4f71) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/17 06:54:40.0343 HidUsb (81d2ffea0965a205f257160f1328f18e) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/17 06:54:41.0375 HTTP (34b3296ad3c624daaaf1884681633c82) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/17 06:54:42.0296 i8042prt (f641d64e8fd069d91e60511bb5cf4a2d) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/17 06:54:42.0921 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/01/17 06:54:43.0296 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/01/17 06:54:43.0593 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/01/17 06:54:43.0953 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/01/17 06:54:44.0281 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/01/17 06:54:44.0562 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/01/17 06:54:44.0906 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2011/01/17 06:54:45.0156 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2011/01/17 06:54:45.0609 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2011/01/17 06:54:45.0890 iAimFP8 (36e6c405b6143d09687f4056fd9a0d10) C:\WINDOWS\system32\DRIVERS\wADV11nt.sys
2011/01/17 06:54:46.0125 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/01/17 06:54:46.0312 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/01/17 06:54:46.0671 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/01/17 06:54:47.0015 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/01/17 06:54:47.0328 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2011/01/17 06:54:47.0593 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2011/01/17 06:54:47.0921 IdeBusDr (791f0829de88dd0ca77192f0dfad03b6) C:\WINDOWS\system32\DRIVERS\IdeBusDr.sys
2011/01/17 06:54:48.0281 IdeChnDr (7d2b8be9e89628663c1fb571f7c34062) C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys
2011/01/17 06:54:48.0593 Imapi (df47d4e6ed89cd0ad7248a7604af706e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/17 06:54:49.0015 IntelIde (d5dbb6592e6bd9cf2e997c609ed14474) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/17 06:54:49.0234 Ip6Fw (0f2a14149b767cd62559a4e060d63e0a) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/17 06:54:49.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/17 06:54:49.0703 IpInIp (f6e4f5f17ead48851b2ca24faf595693) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/17 06:54:50.0062 IpNat (04191cc82eda72c44f9c154bc094ea0d) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/17 06:54:50.0546 IPSec (84f6866f355c4c2185eb68206d55c591) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/17 06:54:50.0781 IRENUM (ca98b430387b7d73d9b52eb4e0ab9d92) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/17 06:54:51.0265 isapnp (5a59964bfb9dca86af0c4ae8cc1d6a32) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/17 06:54:51.0656 Kbdclass (4780a418e0fa859b09311c87980d0f7e) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/17 06:54:51.0812 kbdhid (e8b24306a700220740daf09f042280a2) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/17 06:54:52.0203 kmixer (e30be31b27e6fd0c3ab65e87f794e5df) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/17 06:54:52.0500 KSecDD (1e8c0c5ac7c40529961bd60451666932) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/17 06:54:52.0796 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/01/17 06:54:53.0312 L8042mou (8a5993705add14352c9a279fa8338334) C:\WINDOWS\system32\Drivers\L8042mou.sys
2011/01/17 06:54:54.0109 LEqdUsb (70035567754bed4e6ad353ca3f175127) C:\WINDOWS\system32\Drivers\LEqdUsb.Sys
2011/01/17 06:54:54.0531 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/01/17 06:54:54.0859 LHidKe (b66a77ed976f41ea6154fa0c1fb67f67) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2011/01/17 06:54:55.0375 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/01/17 06:54:55.0937 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\WINDOWS\system32\Drivers\LMouKE.sys
2011/01/17 06:54:56.0343 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/17 06:54:56.0671 Modem (8c0f9f5a284b1db052c31ed629c2a5c3) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/17 06:54:57.0062 Mouclass (06515a5d8482b44e55bab35981888a0e) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/17 06:54:57.0359 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/17 06:54:57.0953 MountMgr (8b64fa7814ed005e57d43155de88398a) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/17 06:54:58.0468 MRxDAV (53cb9e3b300f4ea15d5b2679b102d09f) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/17 06:54:59.0500 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/17 06:54:59.0937 Msfs (79e4458da04664b431e6728a18199300) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/17 06:55:00.0390 MSKSSRV (241e77138dee16d546080a794b80284b) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/17 06:55:00.0609 MSPCLOCK (f46de5b07ea15e0727f12eb12e710f71) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/17 06:55:00.0828 MSPQM (c53927217ac0834dc547b396ffc495d9) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/17 06:55:01.0062 mssmbios (146e70915c378f02476a10bcec3a95c2) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/17 06:55:01.0187 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/01/17 06:55:01.0390 Mup (254717fc83220bdc790f6c2e57c620bf) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/17 06:55:01.0750 NDIS (aff1aed224d17c8bc38174ed932f68b6) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/17 06:55:01.0968 NdisTapi (eaeecd0001f1d43bb3e81b77e8b8483e) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/17 06:55:02.0187 Ndisuio (077c330d7e12669d57ed16e4dfabf700) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/17 06:55:02.0468 NdisWan (36a503c26f7c81fe7ce71b0b467605dd) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/17 06:55:02.0687 NDProxy (21769bbeb1b70ddad968002390100b3a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/17 06:55:02.0953 NetBIOS (4977fd4bad4b94188e7b101df0e017ef) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/17 06:55:03.0515 NetBT (3294dc900631ee18c86f49e7c26e416b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/17 06:55:04.0250 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2011/01/17 06:55:04.0562 Npfs (bff3844722d795df4c5066aaae957ec8) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/17 06:55:04.0890 Ntfs (d7f8a3f743c54c13d78954176ad483a2) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/17 06:55:05.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/17 06:55:05.0453 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/17 06:55:05.0609 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/17 06:55:05.0968 P3 (140f218817681d8cd61e6e3c57142866) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/01/17 06:55:06.0406 Parport (9f84cffa068c474084a99bc68bf3ea63) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/17 06:55:06.0656 PartMgr (64fc948a8387d3a5fba3cdeb539b1514) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/17 06:55:06.0890 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/17 06:55:07.0125 PCI (ef6876118575c85ca4ad39ac6490656c) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/17 06:55:07.0453 Pcmcia (c1bc00b2c7a782cf5207f1a13745ab65) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/17 06:55:08.0171 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2011/01/17 06:55:08.0531 PptpMiniport (7065eaef0b12cc5339425d575e5a71d3) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/17 06:55:08.0828 PSched (7c8c04b524b0823a29ee6b0818ecbbb3) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/17 06:55:09.0062 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/17 06:55:09.0312 Ptserli (4ea68256ba3ddfe5238e35af71c529aa) C:\WINDOWS\system32\DRIVERS\ptserli.sys
2011/01/17 06:55:09.0687 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\drivers\PxHelp20.sys
2011/01/17 06:55:10.0656 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/17 06:55:10.0828 Rasl2tp (1d0743f4b97fd729511ad5022e0bcbc1) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/17 06:55:11.0015 RasPppoe (04a17ced474f4444d6eff7a1ba169a2e) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/17 06:55:11.0265 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/17 06:55:11.0515 Rdbss (d2fd6bd47a5ad252745c96b61b55d7be) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/17 06:55:11.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/17 06:55:12.0140 RDPWD (e92dd0b4ab8d73f72fef85282f8dd2e2) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/17 06:55:12.0656 redbook (bf1bfdad19fd920cc0856886ce91b208) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/17 06:55:12.0984 RFCOMM (f42166695e540b573285048c0ad80a13) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/01/17 06:55:13.0234 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/01/17 06:55:13.0890 SANDRA (361094945053c2c04312ef2e5f14eeaf) C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\WNt500x86\Sandra.sys
2011/01/17 06:55:14.0515 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/17 06:55:14.0828 serenum (19f5a2b382c281ea02525566e8fe6980) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/17 06:55:15.0015 Serial (3dae0c3747f4065d18617ca36f63f104) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/17 06:55:15.0265 Sfloppy (0e0d508c42ed31e0ce4877bcbd1dac7e) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/17 06:55:16.0078 splitter (d15d4f064889adae4ef9a44797361a95) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/17 06:55:16.0500 sr (b0a078e4f5c4b11ddca9fe48e860687f) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/17 06:55:16.0859 SRS_SSCFilter (53ff9a8b3748399f143d7572b7888dd7) C:\WINDOWS\system32\drivers\srs_sscfilter_i386.sys
2011/01/17 06:55:17.0765 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/17 06:55:18.0312 swenum (52ca69522d2780008679f486ff2d16a9) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/17 06:55:18.0500 swmidi (d9f7f799db20ce348d2c7f374aae5133) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/17 06:55:19.0375 sysaudio (ac17b7e3da6fc911466962bbe1596239) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/17 06:55:19.0875 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/17 06:55:20.0468 Tcpip6 (fb9f32acc1d3ad523f7ec900b66fc1bb) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2011/01/17 06:55:20.0921 TDPIPE (acbb991ba7710ca13e3f7c581365eec0) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/17 06:55:21.0171 TDTCP (b4b829f1accaa80686a9f9264f2050d0) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/17 06:55:21.0406 TermDD (9357984830dc4f40c3c82489b56ec95b) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/17 06:55:21.0937 truecrypt (aceb4f4f83b895e15c8c1a2f55009783) C:\WINDOWS\system32\Drivers\truecrypt.sys
2011/01/17 06:55:22.0265 tunmp (7dfeb4edcd8635eb74f5a08bd67c00bb) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2011/01/17 06:55:22.0593 Udfs (007c5857eca3624845005d800986e400) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/17 06:55:23.0078 Update (4b633414b8231060c8ceac4575fcb00e) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/17 06:55:23.0546 usbccgp (7d9ac2328255cb506a9b74fdf2977ce1) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/17 06:55:23.0812 usbehci (8e9d9764dd8030160fc42e183001113d) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/17 06:55:24.0078 usbhub (32889e8b3bb890d5dbcdf866598a2b45) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/17 06:55:24.0265 usbprint (0c92e95006b083ba25c0e805e6e7b1d6) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/17 06:55:24.0437 usbscan (bd381322d0db6d18f42c0df992e8a7cb) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/17 06:55:24.0718 USBSTOR (4c11e52f58b8f691099f9c1b0432a6a6) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/17 06:55:24.0984 usbuhci (b4fbc865ce1311f671c18388df73eb80) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/17 06:55:25.0203 VgaSave (27573609ed1a48065a7174fa6b7f36e5) C:\WINDOWS\System32\drivers\vga.sys
2011/01/17 06:55:25.0812 VIAudio (fece79a9aef62ad5f11a3f4a14f1dead) C:\WINDOWS\system32\drivers\vinyl97.sys
2011/01/17 06:55:26.0500 Vmodem (b289d19df6103352d3c4b13c0ed79331) C:\WINDOWS\system32\DRIVERS\vmodem.sys
2011/01/17 06:55:27.0156 VolSnap (999a7ab63b8f364f4df130d48ba7e972) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/17 06:55:28.0078 Vpctcom (4a4448332075c5a909df123c21616b2a) C:\WINDOWS\system32\DRIVERS\vpctcom.sys
2011/01/17 06:55:28.0843 vsbus (3995d1e95f3c621467da4bce868cdc90) C:\WINDOWS\system32\DRIVERS\vsb.sys
2011/01/17 06:55:29.0171 vserial (3feb02f2eebaa3f099e279c258ef786e) C:\WINDOWS\system32\DRIVERS\vserial.sys
2011/01/17 06:55:29.0390 Vvoice (120e61aac05f00c867a32de493dab9b4) C:\WINDOWS\system32\DRIVERS\vvoice.sys
2011/01/17 06:55:29.0640 Wanarp (4d91cdfecb032a34c550080b62720e15) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/17 06:55:30.0812 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/01/17 06:55:31.0250 wdmaud (971260ff2bdf0371c11e811fa9c64bd8) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/17 06:55:32.0109 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/17 06:55:32.0718 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/17 06:55:33.0421 ================================================================================
2011/01/17 06:55:33.0421 Scan finished
2011/01/17 06:55:33.0421 ================================================================================
2011/01/17 06:57:30.0468 Deinitialize success

Here's the Combo-Fix Log;
ComboFix 11-01-16.04 - RED 01/17/2011 14:20:25.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.185 [GMT -7:00]
Running from: c:\documents and settings\RED\Desktop\Combo-Fix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Windows Live OneCare *Disabled/Updated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *Disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\RED\Application Data\Desktopicon
c:\documents and settings\RED\Application Data\Desktopicon\config.ini
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\Downloaded Program Files\ODCTOOLS

.
((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
.

2011-01-10 01:05 . 2011-01-10 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-01-09 11:45 . 2011-01-09 11:45 -------- d-----w- c:\documents and settings\RED\Local Settings\Application Data\Temp
2011-01-09 06:26 . 2011-01-09 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-01-08 02:51 . 2011-01-08 02:51 -------- d-----w- c:\program files\WinPcap
2011-01-08 02:46 . 2011-01-08 02:46 388096 ----a-r- c:\documents and settings\RED\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 17:56 . 2011-01-07 17:56 -------- d-----w- c:\documents and settings\RED\Application Data\Malwarebytes
2011-01-07 17:55 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 17:55 . 2011-01-07 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-07 17:54 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 17:54 . 2011-01-07 20:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-01 22:06 . 2011-01-01 22:07 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B3ABAF49-C1FD-4E23-A5C8-1D0530D54991}
2011-01-01 22:06 . 2011-01-01 22:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{942E4254-C25C-44BA-94FC-8777923F9E7B}
2011-01-01 22:05 . 2011-01-01 22:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2011-01-01 22:03 . 2011-01-01 22:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2010-12-24 21:32 . 2010-12-24 21:32 75264 --sha-r- c:\windows\system32\runas8.dll
2010-12-22 22:16 . 2010-12-22 22:16 -------- d-----w- c:\program files\Yontoo Layers Client
2010-12-22 22:16 . 2010-12-22 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2010-12-22 14:05 . 2010-06-02 11:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-12-22 14:05 . 2010-06-02 11:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-12-22 14:05 . 2010-06-02 11:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-12-22 14:05 . 2010-05-26 18:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-31 20:06 . 2010-11-08 05:28 38848 ----a-w- c:\windows\avastSS.scr
2010-12-31 20:06 . 2009-12-29 13:58 188216 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-31 20:00 . 2009-12-29 13:58 293968 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-31 19:59 . 2009-12-29 13:58 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-31 19:59 . 2009-12-29 13:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-31 19:59 . 2009-12-29 13:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-31 19:56 . 2009-12-29 13:58 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-31 19:56 . 2009-12-29 13:58 29264 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-31 19:56 . 2009-12-29 13:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-30 00:38 . 2010-11-30 00:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38 . 2010-11-30 00:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-22 01:21 . 2009-05-27 23:37 398744 ----a-r- c:\windows\system32\cpnprt2.cid
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-12-01 21:05 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2010-08-04 692317]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-12-31 3395600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 15 (0xf)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 22:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^RED^Start Menu^Programs^Startup^CNET TechTracker.lnk]
backup=c:\windows\pss\CNET TechTracker.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 19:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 17:09 63712 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-07-17 13:45 90112 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-07-17 13:59 143360 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-19 23:27 5248312 -c--a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Spindown Utility]
2004-08-09 21:15 278528 ----a-w- c:\program files\Western Digital Technologies\Spindown\ExSpinDn.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\TrueCrypt\\TrueCrypt.exe"=
"c:\\Program Files\\Oberon Media\\Big Kahuna Reef 2\\Launch.exe"=
"c:\\Program Files\\Oberon Media\\Bejeweled 2 Deluxe\\Launch.exe"=
"c:\\Program Files\\Intel\\Intel Application Accelerator\\IntelATA.exe"=
"c:\\Program Files\\Uniblue\\PowerSuite\\PowerSuite.exe"=
"c:\\Program Files\\VIA\\VIAudioi\\SBADeck\\ADeck.exe"=
"c:\\Program Files\\Quicken\\QuickenOLBackupLauncher.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Samsung Magic Speed\\Magic Speed\\MagicSL.exe"=
"c:\\Program Files\\Oberon Media\\Lottso! Deluxe\\Launch.exe"=
"c:\\Program Files\\Samsung CDRW\\sfdnwin.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\Photoshop Album Starter Edition.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\WINDOWS\\system32\\ac3config.exe"=
"c:\\WINDOWS\\twain_32\\escndv\\escndv.exe"=
"c:\\WINDOWS\\twain_32\\escndv\\escfg.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDShred.exe"=
"c:\\Program Files\\SAMSUNG\\FW LiveUpdate\\FWManager.exe"=
"c:\\Program Files\\My Book\\WD Backup\\uWDBackup.exe"=
"c:\\Program Files\\Lavasoft\\Lavasoft Privacy Toolbox\\LSPrivacyToolbox.exe"=
"c:\\Program Files\\Uniblue\\PixelPerfect\\PixelPerfect.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\RpcAgentSrv.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EPSON Print CD\\EPSONCD.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\sandra.exe"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\rmiregistry.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\rmid.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\tnameserv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA20.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\Alwil Software\\Avast5\\AvastUI.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"6112:TCP"= 6112:TCP:Battle.net

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/29/2009 6:58 AM 293968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/29/2009 6:58 AM 17744]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [1/7/2011 7:47 PM 439632]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [3/30/2008 1:27 PM 63360]
S3 iAimFP8;iAimFP8;c:\windows\system32\drivers\wADV11nt.sys [2/7/2007 11:34 AM 11935]
S3 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 5:56 AM 14336]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 9:55 AM 40720]
S3 OPE;OPE; [x]
S3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [2/7/2007 11:34 AM 128286]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\RpcAgentSrv.exe [6/22/2009 9:10 PM 98488]
S3 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 8:22 AM 229648]
S4 OXCZXC;OXCZXC;c:\docume~1\RED\LOCALS~1\Temp\OXCZXC.exe --> c:\docume~1\RED\LOCALS~1\Temp\OXCZXC.exe [?]
S4 SITomcat;SI Tomcat;"c:\esi\Apache Group\Tomcat 4.1\bin\tomcat.exe" --> c:\esi\Apache Group\Tomcat 4.1\bin\tomcat.exe [?]
S4 SITransbase;SI Transbase;c:\esi\Transbase\tbmux32.exe --> c:\esi\Transbase\tbmux32.exe [?]
S4 TZOGWZD;TZOGWZD; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-23 02:55 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-01-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-12-23 22:31]

2011-01-15 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-12-23 22:31]

2008-09-14 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://apps.facebook.com/bejeweledblitz/?gid=6900335f00ca4ca129fc1dff97cc0281&kt_type=stream&kt_ut=766110E9F907F34BAA29ABC83691ACB7&kt_st1=DailySpinGift&kt_st2=5K&kt_st3=0003&lpt=DailySpinGift-5K-0003&ref=nf
mWindow Title = RED
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: adobe.com
Trusted Zone: battle.net
Trusted Zone: blizzard.com
Trusted Zone: clearwire.net
Trusted Zone: diskeeper.com
Trusted Zone: epson.com
Trusted Zone: facebook.com\apps
Trusted Zone: google.com
Trusted Zone: lavasoft.com
Trusted Zone: limewire.com
Trusted Zone: logitech.com
Trusted Zone: microsoft.com\support
Trusted Zone: myspace.com\messaging
Trusted Zone: pof.com\www
Trusted Zone: pogo.com
Trusted Zone: pogo.com\game3
Trusted Zone: samsung.com
Trusted Zone: samsung.com\www
Trusted Zone: spybot.com
Trusted Zone: viewsonic.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\us.mg1.mail
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\RED\Application Data\Mozilla\Firefox\Profiles\na85syk8.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://192.168.15.1/login.asp?1282475837691
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&q=
FF - prefs.js: keyword.url - hxxp://www.startsearcher.com/?q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - %profile%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}
FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com
FF - Ext: CraigZilla: craigzilla@studioshorts.com - %profile%\extensions\craigzilla@studioshorts.com
FF - Ext: Speed Dial: {64161300-e22b-11db-8314-0800200c9a66} - %profile%\extensions\{64161300-e22b-11db-8314-0800200c9a66}
FF - Ext: Harley Davidson: {2c088200-b973-11db-8314-0800200c9a66} - %profile%\extensions\{2c088200-b973-11db-8314-0800200c9a66}
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Amazon Wish List: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-OneCareMP
MSConfigStartUp-Bing Bar - c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
MSConfigStartUp-WD Button Manager - WDBtnMgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 14:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-1078081533-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(3524)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2011-01-17 14:56:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-17 21:56

Pre-Run: 19,406,792,704 bytes free
Post-Run: 19,194,998,784 bytes free

- - End Of File - - A89A8CD2BC4CFAEFA552E2A6BA74F57F

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 18 January 2011 - 12:02 AM

Before we started all this on My C:/ Drive t it showed; Documents & Settings, Program Files, WINDOWS. Now after all this It shows additional Folders, after we get Done What can I Delete, and What to Save (Move it where?) Have included a Attachment showing What is NOW in my C:/Drive...


Don't delete anything yet.. Lets wait until we're done first :)

Combo-Fix deleted the WDBtnMgr which is the Opening/Closing Program for my External HDD, shall I just Re-Install??


You may reinstall later :)

I have that New "Boot.bak" File on my C:/Drive which My Windows doesn't recognize, is it Important??


Lets leave it there first :)


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
OPE
OXCZXC
TZOGWZD

Rootkit::
c:\docume~1\RED\LOCALS~1\Temp\OXCZXC.exe

FireFox::
FF - prefs.js: keyword.url - hxxp://www.startsearcher.com/?q=

DDS::
FF - prefs.js: keyword.url - hxxp://www.startsearcher.com/?q=

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 IdahoBiker

IdahoBiker
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I_Da_Ho
  • Local time:03:33 AM

Posted 18 January 2011 - 08:19 PM

Did as You Requested, Here are the Scan Logs from Combo-Fix & HiJackThis
QUESTIONS:
1) For Some Odd Reason FireFox has started giving me Pop-Ups on: Firefox Stopped This From being Automatically Redirected...Click on "Allow" (which generally I don't), I don't remember changing any settings in Firefox, is this something that has been Added On since we Started this, Do I NEED to be Concerned??
2) Did a Program We Installed Reset My Default Browser from FireFox to IE8 ??
3) Combo-Fix did NOT give me an Option to Send that Scan Log to where-ever??
ALSO: I have been NOT doing Searches since we started this, is it OK to Search (and take the Chance of Re-Direction)??

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:19:31 PM, on 1/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apps.facebook.com/bejeweledblitz/?gid=6900335f00ca4ca129fc1dff97cc0281&kt_type=stream&kt_ut=766110E9F907F34BAA29ABC83691ACB7&kt_st1=DailySpinGift&kt_st2=5K&kt_st3=0003&lpt=DailySpinGift-5K-0003&ref=nf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DownloadGuardBHO - {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.battle.net
O15 - Trusted Zone: *.blizzard.com
O15 - Trusted Zone: *.clearwire.net
O15 - Trusted Zone: *.diskeeper.com
O15 - Trusted Zone: *.epson.com
O15 - Trusted Zone: http://apps.facebook.com
O15 - Trusted Zone: *.lavasoft.com
O15 - Trusted Zone: *.limewire.com
O15 - Trusted Zone: *.logitech.com
O15 - Trusted Zone: http://messaging.myspace.com
O15 - Trusted Zone: www.pof.com
O15 - Trusted Zone: http://game3.pogo.com
O15 - Trusted Zone: *.pogo.com
O15 - Trusted Zone: http://www.samsung.com
O15 - Trusted Zone: *.samsung.com
O15 - Trusted Zone: *.spybot.com
O15 - Trusted Zone: *.viewsonic.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\RpcAgentSrv.exe
O23 - Service: Uniblue DiskRescue - Uniblue - C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 8850 bytes
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
ComboFix 11-01-17.04 - RED 01/18/2011 7:24.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.246 [GMT -7:00]
Running from: c:\documents and settings\RED\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\RED\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Windows Live OneCare *Disabled/Updated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *Disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OPE
-------\Legacy_OXCZXC
-------\Legacy_TZOGWZD
-------\Service_OPE
-------\Service_OXCZXC
-------\Service_TZOGWZD


((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
.

2011-01-18 02:19 . 2011-01-18 02:34 632832 ----a-w- c:\windows\system32\notepad.exe.orig
2011-01-18 02:19 . 2011-01-18 02:34 632832 ----a-w- c:\windows\notepad.exe.orig
2011-01-10 01:05 . 2011-01-10 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-01-09 11:45 . 2011-01-09 11:45 -------- d-----w- c:\documents and settings\RED\Local Settings\Application Data\Temp
2011-01-09 06:26 . 2011-01-09 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-01-08 02:51 . 2011-01-08 02:51 -------- d-----w- c:\program files\WinPcap
2011-01-08 02:46 . 2011-01-08 02:46 388096 ----a-r- c:\documents and settings\RED\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 17:56 . 2011-01-07 17:56 -------- d-----w- c:\documents and settings\RED\Application Data\Malwarebytes
2011-01-07 17:55 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 17:55 . 2011-01-07 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-07 17:54 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 17:54 . 2011-01-07 20:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-01 22:06 . 2011-01-01 22:07 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B3ABAF49-C1FD-4E23-A5C8-1D0530D54991}
2011-01-01 22:06 . 2011-01-01 22:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{942E4254-C25C-44BA-94FC-8777923F9E7B}
2011-01-01 22:05 . 2011-01-01 22:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2011-01-01 22:03 . 2011-01-01 22:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2010-12-24 21:32 . 2010-12-24 21:32 75264 --sha-r- c:\windows\system32\runas8.dll
2010-12-22 22:16 . 2010-12-22 22:16 -------- d-----w- c:\program files\Yontoo Layers Client
2010-12-22 22:16 . 2010-12-22 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2010-12-22 14:05 . 2010-06-02 11:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-12-22 14:05 . 2010-06-02 11:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-12-22 14:05 . 2010-06-02 11:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-12-22 14:05 . 2010-05-26 18:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-12-22 14:05 . 2010-05-26 18:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-18 02:34 . 2004-08-04 12:56 632832 -c--a-w- c:\windows\system32\notepad.exe
2011-01-18 02:34 . 2004-08-04 12:56 632832 -c--a-w- c:\windows\notepad.exe
2010-12-31 20:06 . 2010-11-08 05:28 38848 ----a-w- c:\windows\avastSS.scr
2010-12-31 20:06 . 2009-12-29 13:58 188216 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-31 20:00 . 2009-12-29 13:58 293968 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-31 19:59 . 2009-12-29 13:58 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-31 19:59 . 2009-12-29 13:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-31 19:59 . 2009-12-29 13:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-31 19:56 . 2009-12-29 13:58 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-31 19:56 . 2009-12-29 13:58 29264 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-31 19:56 . 2009-12-29 13:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-30 00:38 . 2010-11-30 00:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38 . 2010-11-30 00:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-22 01:21 . 2009-05-27 23:37 398744 ----a-r- c:\windows\system32\cpnprt2.cid
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-12-01 21:05 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2010-08-04 692317]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-12-31 3395600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 15 (0xf)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 22:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^RED^Start Menu^Programs^Startup^CNET TechTracker.lnk]
backup=c:\windows\pss\CNET TechTracker.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 19:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 17:09 63712 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-07-17 13:45 90112 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-07-17 13:59 143360 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-19 23:27 5248312 -c--a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Spindown Utility]
2004-08-09 21:15 278528 ----a-w- c:\program files\Western Digital Technologies\Spindown\ExSpinDn.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\TrueCrypt\\TrueCrypt.exe"=
"c:\\Program Files\\Oberon Media\\Big Kahuna Reef 2\\Launch.exe"=
"c:\\Program Files\\Oberon Media\\Bejeweled 2 Deluxe\\Launch.exe"=
"c:\\Program Files\\Intel\\Intel Application Accelerator\\IntelATA.exe"=
"c:\\Program Files\\Uniblue\\PowerSuite\\PowerSuite.exe"=
"c:\\Program Files\\VIA\\VIAudioi\\SBADeck\\ADeck.exe"=
"c:\\Program Files\\Quicken\\QuickenOLBackupLauncher.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Samsung Magic Speed\\Magic Speed\\MagicSL.exe"=
"c:\\Program Files\\Oberon Media\\Lottso! Deluxe\\Launch.exe"=
"c:\\Program Files\\Samsung CDRW\\sfdnwin.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\Photoshop Album Starter Edition.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\WINDOWS\\system32\\ac3config.exe"=
"c:\\WINDOWS\\twain_32\\escndv\\escndv.exe"=
"c:\\WINDOWS\\twain_32\\escndv\\escfg.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDShred.exe"=
"c:\\Program Files\\SAMSUNG\\FW LiveUpdate\\FWManager.exe"=
"c:\\Program Files\\My Book\\WD Backup\\uWDBackup.exe"=
"c:\\Program Files\\Lavasoft\\Lavasoft Privacy Toolbox\\LSPrivacyToolbox.exe"=
"c:\\Program Files\\Uniblue\\PixelPerfect\\PixelPerfect.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\RpcAgentSrv.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EPSON Print CD\\EPSONCD.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\sandra.exe"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\rmiregistry.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\rmid.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\tnameserv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA20.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\Alwil Software\\Avast5\\AvastUI.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"6112:TCP"= 6112:TCP:Battle.net

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/29/2009 6:58 AM 293968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/29/2009 6:58 AM 17744]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [1/7/2011 7:47 PM 439632]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [3/30/2008 1:27 PM 63360]
S3 iAimFP8;iAimFP8;c:\windows\system32\drivers\wADV11nt.sys [2/7/2007 11:34 AM 11935]
S3 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 5:56 AM 14336]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 9:55 AM 40720]
S3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [2/7/2007 11:34 AM 128286]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\RpcAgentSrv.exe [6/22/2009 9:10 PM 98488]
S3 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 8:22 AM 229648]
S4 SITomcat;SI Tomcat;"c:\esi\Apache Group\Tomcat 4.1\bin\tomcat.exe" --> c:\esi\Apache Group\Tomcat 4.1\bin\tomcat.exe [?]
S4 SITransbase;SI Transbase;c:\esi\Transbase\tbmux32.exe --> c:\esi\Transbase\tbmux32.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-23 02:55 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-01-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-12-23 22:31]

2011-01-15 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-12-23 22:31]

2008-09-14 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://apps.facebook.com/bejeweledblitz/?gid=6900335f00ca4ca129fc1dff97cc0281&kt_type=stream&kt_ut=766110E9F907F34BAA29ABC83691ACB7&kt_st1=DailySpinGift&kt_st2=5K&kt_st3=0003&lpt=DailySpinGift-5K-0003&ref=nf
mWindow Title = RED
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: adobe.com
Trusted Zone: battle.net
Trusted Zone: blizzard.com
Trusted Zone: clearwire.net
Trusted Zone: diskeeper.com
Trusted Zone: epson.com
Trusted Zone: facebook.com\apps
Trusted Zone: google.com
Trusted Zone: lavasoft.com
Trusted Zone: limewire.com
Trusted Zone: logitech.com
Trusted Zone: microsoft.com\support
Trusted Zone: myspace.com\messaging
Trusted Zone: pof.com\www
Trusted Zone: pogo.com
Trusted Zone: pogo.com\game3
Trusted Zone: samsung.com
Trusted Zone: samsung.com\www
Trusted Zone: spybot.com
Trusted Zone: viewsonic.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\us.mg1.mail
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\RED\Application Data\Mozilla\Firefox\Profiles\na85syk8.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://192.168.15.1/login.asp?1282475837691
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&q=
FF - prefs.js: keyword.url - hxxp://www.startsearcher.com/?q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - %profile%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}
FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com
FF - Ext: CraigZilla: craigzilla@studioshorts.com - %profile%\extensions\craigzilla@studioshorts.com
FF - Ext: Speed Dial: {64161300-e22b-11db-8314-0800200c9a66} - %profile%\extensions\{64161300-e22b-11db-8314-0800200c9a66}
FF - Ext: Harley Davidson: {2c088200-b973-11db-8314-0800200c9a66} - %profile%\extensions\{2c088200-b973-11db-8314-0800200c9a66}
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Amazon Wish List: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-18 07:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-1078081533-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(3004)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2011-01-18 08:05:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-18 15:05
ComboFix2.txt 2011-01-17 21:57

Pre-Run: 19,185,849,856 bytes free
Post-Run: 19,172,283,904 bytes free

- - End Of File - - 3B3F09C00409F5DF34506F2DCFE1D88B

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 18 January 2011 - 09:41 PM

For Some Odd Reason FireFox has started giving me Pop-Ups on: Firefox Stopped This From being Automatically Redirected...Click on "Allow" (which generally I don't), I don't remember changing any settings in Firefox, is this something that has been Added On since we Started this, Do I NEED to be Concerned??


I'm not familiar with the fox, as I'm using Google Chrome right now.. can you give me the screenshot? :)

Did a Program We Installed Reset My Default Browser from FireFox to IE8 ??


It shouldn't but I believe you can easily set it back to Firefox if you wish :)

Combo-Fix did NOT give me an Option to Send that Scan Log to where-ever??


Ok, no problem.. Don't worry too much :)

I have been NOT doing Searches since we started this, is it OK to Search (and take the Chance of Re-Direction)??


Sure, please do, as we need to test whether the redirection still occur or not.. Please tell me more about it :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 19 January 2011 - 10:43 AM

Link to XP forum topic: http://www.bleepingcomputer.com/forums/topic374264.html

As soon as you and fenzodahl512 finish with this topic, we can reopen your other topic if you still need help with the mentioned issue. For now, please continue working in this topic, because otherwise your helper will not know what steps you have done and why.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 19 January 2011 - 06:30 PM

Hi, I just look at your topic in XP forum.. I suspect its file association problem.. Can you please try Allan's suggestion? Here's the link for JPEG file association..

http://www.dougknox.com/xp/fileassoc/xp_jpg_jpe_jpeg_file_assoc_fix.zip

Oh, before you run that file, please do below first, then do the above step...


Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 19 January 2011 - 06:46 PM

And then please do this also :P


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • c:\windows\system32\runas8.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 IdahoBiker

IdahoBiker
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I_Da_Ho
  • Local time:03:33 AM

Posted 19 January 2011 - 06:57 PM

For Some Odd Reason FireFox has started giving me Pop-Ups on: Firefox Stopped This From being Automatically Redirected...Click on "Allow" (which generally I don't), I don't remember changing any settings in Firefox, is this something that has been Added On since we Started this, Do I NEED to be Concerned??


I'm not familiar with the fox, as I'm using Google Chrome right now.. can you give me the screenshot? :)

OK, can do, next time it occurs!

Did a Program We Installed Reset My Default Browser from FireFox to IE8 ??


It shouldn't but I believe you can easily set it back to Firefox if you wish :)

I keep getting a Pop-Up that Asks me If I want Firefox to be My Default, I click YES. I checked In Internet Options, and IE is still Unchecked as my Default, strange....

Combo-Fix did NOT give me an Option to Send that Scan Log to where-ever??


Ok, no problem.. Don't worry too much :)

I went to the "Site" (Bleeping Computer as a matter of Fact, lol) and sent it In, just to let you Know.

I have been NOT doing Searches since we started this, is it OK to Search (and take the Chance of Re-Direction)??


Sure, please do, as we need to test whether the redirection still occur or not.. Please tell me more about it :)

Yes, it is STILL Re-Directing me?? The Latest was from xxxx://ndparking.com, & xxxx://cdn.optmd.com (some Screen saver Site, and one masquerading as xxxx://magicchef-ewave.com // Which it wasn't)



#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 19 January 2011 - 07:07 PM

Hmm.. Lets try running this one... and also, please don't forget the previous steps to upload a suspicious file into VirScan/VirusTotal too.. its important for me to know whether that file is good or else :)


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 IdahoBiker

IdahoBiker
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I_Da_Ho
  • Local time:03:33 AM

Posted 19 January 2011 - 07:33 PM

And then please do this also :P


Please show hidden files and folders

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\runas8.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.


Tried to Upload that runas8.dll and Came Back with an ERROR: Unable to Locate Upload File (Even though I had it Un-Hidden, and I could see "it", What Now?)
OK, Ran this File runas.dll couldn't find the one you said (??) here's what Came up:
File Name : runas.exe File Size : 16384 byte File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit MD5 : d69290339a5bd2aaf674ea6abf670f6d SHA1 : 1c7072b055ff62c24968aeb762635e06d87b1d2bRan the File next to the Last one (run32.dll) Here is those Results:
File Name : 1.html File Size : 4037 byte File Type : Sendmail frozen configuration - version body bgcolor= MD5 : 4a2514195555a43458b4e087d29124be SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c

Edited by IdahoBiker, 19 January 2011 - 07:40 PM.


#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 19 January 2011 - 07:45 PM

Okay, I suspect that file is bad, please cut the file (runas8.dll) and paste it to your Desktop for the time being..

Next, please run the TDSSKiller by Kaspersky and post the result here :)

Edited by fenzodahl512, 19 January 2011 - 07:45 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users