Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect


  • This topic is locked This topic is locked
10 replies to this topic

#1 kennydevon

kennydevon

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:09 AM

Posted 20 January 2011 - 05:49 PM

Hi Bleeping
I followed the steps in one of the threads for another user, but the redirect is still on my laptop. So I guess I need the personal touch.
Thanks in advance for your time.

Here is the DDS text. The Attach file is attached. The ark file was too big. I tried zipping it with Winace but it wouldn't upload. I have sent you the first part of it. I will try to attach the remainder in a following post.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Kenny at 21:10:27.43 on 20/01/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.274 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DOCUME~1\Kenny\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Kenny\Desktop\SECURITY\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB003" /M "Stylus Photo RX420"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] f:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\kenny\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
IE: E&xport to Microsoft Excel - f:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenny\applic~1\mozilla\firefox\profiles\bn9yh03m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSqueak.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: DOM Inspector: inspector@mozilla.org - %profile%\extensions\inspector@mozilla.org
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2005-9-17 294608]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2005-9-17 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2005-9-17 40384]
S2 aregse;Server Time;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 dolhnzdo;Security Time;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 gikvuyq;Windows Task;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 gupdate1ca4904a224d4a0;Google Update Service (gupdate1ca4904a224d4a0);c:\program files\google\update\GoogleUpdate.exe [2009-10-9 133104]
S2 jwnio;Shell Config;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 pmwnob;Network Config;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 pwvzvpvg;Boot Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 qimskjxc;Manager Update;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 vylsgys;Manager Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 wskkii;Manager Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 wsrer;Task Boot;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 yweabxh;Driver Center;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [2008-2-28 86656]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [2008-2-28 28928]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2009-5-20 101120]
S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [2008-10-27 25088]

=============== File Associations ===============

.reg=Regedit.Document

=============== Created Last 30 ================

2011-01-18 23:29:52 -------- d-----w- c:\program files\ESET
2011-01-18 23:08:48 -------- d-----w- c:\docume~1\kenny\applic~1\Malwarebytes
2011-01-18 23:08:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-18 23:08:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-18 23:08:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 22:24:08 388096 ----a-r- c:\docume~1\kenny\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-17 21:24:32 -------- d-----w- c:\docume~1\kenny\applic~1\etoys
2011-01-17 21:23:31 57344 ----a-w- c:\program files\mozilla firefox\plugins\NPSqueak.dll
2011-01-09 22:28:55 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-01-09 22:28:53 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-01-07 14:49:12 -------- d-----w- c:\windows\system32\KB905474
2011-01-06 20:01:37 95360 ----a-w- c:\windows\system32\drivers\wzyvbrxi.sys
2011-01-06 20:00:53 265728 -c----w- c:\windows\system32\dllcache\http.sys
2011-01-06 19:58:35 -------- d-----w- c:\windows\system32\MpEngineStore
2011-01-06 18:10:28 -------- d-----w- c:\docume~1\kenny\locals~1\applic~1\PCHealth
2011-01-06 15:07:51 293376 ------w- c:\windows\system32\browserchoice.exe
2011-01-06 15:05:35 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-01-05 22:07:11 -------- d-sha-r- C:\cmdcons
2011-01-05 22:02:54 98816 ----a-w- c:\windows\sed.exe
2011-01-05 22:02:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-05 22:02:54 256512 ----a-w- c:\windows\PEV.exe
2011-01-05 22:02:54 161792 ----a-w- c:\windows\SWREG.exe
2011-01-05 15:37:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\a
2011-01-03 20:55:05 -------- d-----w- c:\windows\speech

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- c:\windows\avastSS.scr

============= FINISH: 21:11:41.54 ===============

I tried to attach remainder of ark file, but it appears I have exceeded my global upload quota. Is this possibly from a previous thread? How do I get round this problem?

solved the problem with the limit - complete ark file attached

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 20 January 2011 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 20 January 2011 - 09:17 PM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.




Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:09 AM

Posted 21 January 2011 - 09:40 AM

Hi and thanks Fenzodal

Here are the TDSSkiller and combofix logs

2005/06/01 01:27:56.0875 TDSS rootkit removing tool 2.4.14.0 Jan 18 2011 09:33:51
2005/06/01 01:27:56.0875 ================================================================================
2005/06/01 01:27:56.0875 SystemInfo:
2005/06/01 01:27:56.0875
2005/06/01 01:27:56.0875 OS Version: 5.1.2600 ServicePack: 2.0
2005/06/01 01:27:56.0875 Product type: Workstation
2005/06/01 01:27:56.0875 ComputerName: KENNYS-LAPTOP
2005/06/01 01:27:56.0875 UserName: Kenny
2005/06/01 01:27:56.0875 Windows directory: C:\WINDOWS
2005/06/01 01:27:56.0875 System windows directory: C:\WINDOWS
2005/06/01 01:27:56.0875 Processor architecture: Intel x86
2005/06/01 01:27:56.0875 Number of processors: 2
2005/06/01 01:27:56.0875 Page size: 0x1000
2005/06/01 01:27:56.0875 Boot type: Normal boot
2005/06/01 01:27:56.0875 ================================================================================
2005/06/01 01:27:57.0390 Initialize success
2005/06/01 01:28:08.0609 ================================================================================
2005/06/01 01:28:08.0609 Scan started
2005/06/01 01:28:08.0609 Mode: Manual;
2005/06/01 01:28:08.0609 ================================================================================
2005/06/01 01:28:09.0062 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys
2005/06/01 01:28:09.0156 acfva (426b4845468b690cfeeb268488d3aa0b) C:\WINDOWS\system32\DRIVERS\ACFVA32.sys
2005/06/01 01:28:09.0203 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2005/06/01 01:28:09.0250 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2005/06/01 01:28:09.0296 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
2005/06/01 01:28:09.0375 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2005/06/01 01:28:09.0437 AFD (6a0397376853e604de8e1e7a87fc08ac) C:\WINDOWS\System32\drivers\afd.sys
2005/06/01 01:28:09.0703 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2005/06/01 01:28:09.0734 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys
2005/06/01 01:28:09.0765 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys
2005/06/01 01:28:09.0843 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys
2005/06/01 01:28:09.0921 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys
2005/06/01 01:28:09.0953 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2005/06/01 01:28:10.0000 atapi (14810d05efbbf1e5e4af54e813c30654) C:\WINDOWS\system32\DRIVERS\atapi.sys
2005/06/01 01:28:10.0000 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 14810d05efbbf1e5e4af54e813c30654, Fake md5: cdfe4411a69c224bd1d11b2da92dac51
2005/06/01 01:28:10.0015 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2005/06/01 01:28:10.0062 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2005/06/01 01:28:10.0109 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2005/06/01 01:28:10.0171 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2005/06/01 01:28:10.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2005/06/01 01:28:10.0296 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2005/06/01 01:28:10.0328 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2005/06/01 01:28:10.0359 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2005/06/01 01:28:10.0421 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2005/06/01 01:28:10.0468 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2005/06/01 01:28:10.0500 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2005/06/01 01:28:10.0609 dgcfltr (ff2cfb06e8019e5bed0497cd629a4bd5) C:\WINDOWS\system32\DRIVERS\ACFDCP32.sys
2005/06/01 01:28:10.0640 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2005/06/01 01:28:10.0703 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2005/06/01 01:28:10.0765 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2005/06/01 01:28:10.0796 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2005/06/01 01:28:10.0859 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2005/06/01 01:28:10.0921 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2005/06/01 01:28:10.0984 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2005/06/01 01:28:11.0031 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2005/06/01 01:28:11.0062 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2005/06/01 01:28:11.0109 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2005/06/01 01:28:11.0156 FltMgr (6cc5181f718820861eeadae38f764b75) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2005/06/01 01:28:11.0187 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2005/06/01 01:28:11.0218 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2005/06/01 01:28:11.0265 GEARAspiWDM (df6e37b27a9a1a498c6d9f29995b7a03) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2005/06/01 01:28:11.0312 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2005/06/01 01:28:11.0343 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2005/06/01 01:28:11.0421 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2005/06/01 01:28:11.0484 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2005/06/01 01:28:11.0500 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2005/06/01 01:28:11.0546 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2005/06/01 01:28:11.0593 HTTP (261bf53e1d1c21f04b4e748a6ed3d055) C:\WINDOWS\system32\Drivers\HTTP.sys
2005/06/01 01:28:11.0718 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2005/06/01 01:28:11.0765 Imapi (12c59b8929121ace2f55acc86682cf12) C:\WINDOWS\system32\DRIVERS\imapi.sys
2005/06/01 01:28:12.0015 IntcAzAudAddService (909d03b3b7fb7c830b74f74f4d0ea7ce) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2005/06/01 01:28:12.0203 intelppm (db8a1859cf9e48914dcc0a7206d87be5) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2005/06/01 01:28:12.0234 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2005/06/01 01:28:12.0281 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2005/06/01 01:28:12.0296 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2005/06/01 01:28:12.0343 IpNat (472c75f85e631f8aa87d21c9fee6238d) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2005/06/01 01:28:12.0390 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2005/06/01 01:28:12.0437 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2005/06/01 01:28:12.0500 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2005/06/01 01:28:12.0562 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2005/06/01 01:28:12.0593 kmixer (8531438246ce9474e41ee1599904c0c7) C:\WINDOWS\system32\drivers\kmixer.sys
2005/06/01 01:28:12.0671 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
2005/06/01 01:28:12.0781 lusbaudio (081caf42d5db1fcf8794fd77befd1b11) C:\WINDOWS\system32\drivers\OVSound2.sys
2005/06/01 01:28:12.0812 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
2005/06/01 01:28:12.0859 mdmxsdk (1968508adb20192a03a30c25f16db506) C:\WINDOWS\system32\DRIVERS\ACFSDK32.sys
2005/06/01 01:28:12.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2005/06/01 01:28:12.0937 MobileAdapter (4a77f036f7234ed24351ac486d2a29b9) C:\WINDOWS\system32\DRIVERS\hmvmdm.sys
2005/06/01 01:28:12.0984 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2005/06/01 01:28:13.0046 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2005/06/01 01:28:13.0078 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2005/06/01 01:28:13.0140 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2005/06/01 01:28:13.0156 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2005/06/01 01:28:13.0218 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2005/06/01 01:28:13.0281 MRxSmb (3500e756812e716351f2d341ae1d5623) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2005/06/01 01:28:13.0312 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2005/06/01 01:28:13.0359 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2005/06/01 01:28:13.0390 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2005/06/01 01:28:13.0406 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2005/06/01 01:28:13.0437 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2005/06/01 01:28:13.0468 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2005/06/01 01:28:13.0515 Mup (79a9c030299e8cc04f18d0765155d902) C:\WINDOWS\system32\drivers\Mup.sys
2005/06/01 01:28:13.0546 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2005/06/01 01:28:13.0578 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2005/06/01 01:28:13.0609 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2005/06/01 01:28:13.0656 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2005/06/01 01:28:13.0687 Ndisuio (77d9bf86b912104c229d4f0d25be3c12) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2005/06/01 01:28:13.0703 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2005/06/01 01:28:13.0734 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2005/06/01 01:28:13.0765 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2005/06/01 01:28:13.0812 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2005/06/01 01:28:13.0859 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2005/06/01 01:28:13.0906 Ntfs (7179ac3f4258aec9627590a842fda1d6) C:\WINDOWS\system32\drivers\Ntfs.sys
2005/06/01 01:28:13.0968 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2005/06/01 01:28:14.0250 nv (b5a51353d8733b2d28055286e0f57f9c) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2005/06/01 01:28:14.0546 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2005/06/01 01:28:14.0562 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2005/06/01 01:28:14.0640 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2005/06/01 01:28:14.0687 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2005/06/01 01:28:14.0750 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2005/06/01 01:28:14.0859 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2005/06/01 01:28:14.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2005/06/01 01:28:14.0953 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2005/06/01 01:28:15.0296 PID_PEPI (4bb5ac2dd485b8eefccb977ee66a68ad) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
2005/06/01 01:28:15.0437 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2005/06/01 01:28:15.0468 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2005/06/01 01:28:15.0500 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2005/06/01 01:28:15.0531 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2005/06/01 01:28:15.0578 QCAbsee (7835ccedeed078a8bc48fe91961ab9a6) C:\WINDOWS\system32\DRIVERS\OVCA.sys
2005/06/01 01:28:15.0687 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2005/06/01 01:28:15.0750 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2005/06/01 01:28:15.0781 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2005/06/01 01:28:15.0812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2005/06/01 01:28:15.0843 Rdbss (b48441a6dc703ee4c36db14ee51a189c) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2005/06/01 01:28:15.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2005/06/01 01:28:15.0921 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2005/06/01 01:28:15.0968 RDPWD (047bea21274c8a4a233674a76c958c2c) C:\WINDOWS\system32\drivers\RDPWD.sys
2005/06/01 01:28:16.0046 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2005/06/01 01:28:16.0125 rspndr (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2005/06/01 01:28:16.0187 sdbus (45c6411c6f9f911a9f1c8561b1fa1115) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2005/06/01 01:28:16.0234 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2005/06/01 01:28:16.0281 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2005/06/01 01:28:16.0328 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2005/06/01 01:28:16.0406 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2005/06/01 01:28:16.0484 splitter (9bb1dd670cb7505a90fc4e61d4aa8227) C:\WINDOWS\system32\drivers\splitter.sys
2005/06/01 01:28:16.0531 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2005/06/01 01:28:16.0593 Srv (d4af9861c3b6a2163d26dc6b9cf05e2a) C:\WINDOWS\system32\DRIVERS\srv.sys
2005/06/01 01:28:16.0656 ssm_bus (df5c19f053eff7f8ba25d73aea899656) C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
2005/06/01 01:28:16.0828 ssm_mdfl (5347169fa449eabc4d0728ae39fab926) C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
2005/06/01 01:28:16.0890 ssm_mdm (7aae23dd105eed15c4f45fc269fa42a9) C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
2005/06/01 01:28:16.0937 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
2005/06/01 01:28:16.0968 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2005/06/01 01:28:17.0046 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2005/06/01 01:28:17.0093 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2005/06/01 01:28:17.0250 SynTP (66f680409fc3bddf62741e3e920a8454) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2005/06/01 01:28:17.0296 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2005/06/01 01:28:17.0390 Tcpip (744e57c99232201ae98c49168b918f48) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2005/06/01 01:28:17.0437 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2005/06/01 01:28:17.0468 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2005/06/01 01:28:17.0515 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2005/06/01 01:28:17.0625 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2005/06/01 01:28:17.0718 Update (7b2170ee3d858ce8fbe503904cc9b663) C:\WINDOWS\system32\DRIVERS\update.sys
2005/06/01 01:28:17.0828 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2005/06/01 01:28:17.0875 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2005/06/01 01:28:17.0906 usbehci (4a84dd272df62be5739394b3f90f8ae2) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2005/06/01 01:28:17.0953 usbhub (a874d1629762019ceaf824ad8a8c5660) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2005/06/01 01:28:17.0984 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2005/06/01 01:28:18.0062 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2005/06/01 01:28:18.0125 usbser (49106ee29074e6a3d3ac9e24c6d791d8) C:\WINDOWS\system32\DRIVERS\usbser.sys
2005/06/01 01:28:18.0140 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2005/06/01 01:28:18.0171 usbuhci (654c19d5ca14483be3c2384cddc09468) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2005/06/01 01:28:18.0218 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2005/06/01 01:28:18.0250 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2005/06/01 01:28:18.0343 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2005/06/01 01:28:18.0421 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2005/06/01 01:28:18.0500 wdmaud (0bfa8203b8148fb4e54bc212c41ce497) C:\WINDOWS\system32\drivers\wdmaud.sys
2005/06/01 01:28:18.0578 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2005/06/01 01:28:18.0671 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2005/06/01 01:28:18.0718 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2005/06/01 01:28:18.0750 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2005/06/01 01:28:18.0843 ================================================================================
2005/06/01 01:28:18.0843 Scan finished
2005/06/01 01:28:18.0843 ================================================================================
2005/06/01 01:28:18.0859 Detected object count: 1
2005/06/01 01:28:53.0406 atapi (14810d05efbbf1e5e4af54e813c30654) C:\WINDOWS\system32\DRIVERS\atapi.sys
2005/06/01 01:28:53.0406 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 14810d05efbbf1e5e4af54e813c30654, Fake md5: cdfe4411a69c224bd1d11b2da92dac51
2005/06/01 01:28:54.0968 Backup copy found, using it..
2005/06/01 01:28:55.0109 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after reboot
2005/06/01 01:28:55.0109 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure
2005/06/01 01:29:00.0578 Deinitialize success

===============================================================================================================

ComboFix 11-01-20.03 - Kenny 01/06/2005 2:00.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.683 [GMT 1:00]
Running from: c:\documents and settings\Kenny\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2005-05-01 to 2005-06-01 )))))))))))))))))))))))))))))))
.

2010-12-19 15:56 . 2011-01-11 23:47 -------- d-----w- C:\FH backup
2009-12-28 17:13 . 2009-12-28 17:13 -------- d-----r- C:\MSOCache
2009-09-16 19:44 . 2009-09-16 19:45 -------- d-----w- C:\My Computer
2009-06-15 19:48 . 2009-06-15 19:48 -------- d-----w- C:\cygwin
2009-03-03 13:13 . 2009-03-03 13:13 -------- d-----w- C:\ConvertTemp
2008-11-06 13:39 . 2008-12-28 00:20 -------- d-----w- C:\TEMP
2008-05-20 21:12 . 2008-05-20 21:12 -------- d-----w- C:\logs3
2008-04-22 19:02 . 2008-04-22 19:02 -------- d-----w- C:\WinZip
2007-12-24 16:05 . 2008-03-15 09:48 -------- d-----w- C:\CAVEDOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 15:13 . 2007-09-08 16:52 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-04-20 05:51 . 2004-08-04 01:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-05 14:57 . 2004-08-04 01:56 65536 ----a-w- c:\windows\system32\asycfilt.dll
2010-01-29 14:43 . 2004-08-04 01:56 307260 ----a-w- c:\windows\system32\l3codeca.acm
2010-01-29 14:43 . 2001-08-23 14:00 143422 ----a-w- c:\windows\system32\l3codecx.ax
2010-01-13 14:10 . 2004-08-04 01:56 85504 ----a-w- c:\windows\system32\cabview.dll
2009-12-24 07:05 . 2004-08-04 01:56 177664 ----a-w- c:\windows\system32\wintrust.dll
2009-12-14 07:35 . 2004-08-04 01:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-04 01:56 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-04 01:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-23 14:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 16:24 . 2007-07-22 13:13 470528 ----a-w- c:\windows\apppatch\aclayers.dll
2009-10-21 05:50 . 2004-08-04 01:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:50 . 2004-08-04 01:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-12 13:54 . 2004-08-04 01:56 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 01:56 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-11 14:03 . 2004-08-04 01:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-04 01:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 14:32 . 2004-08-04 01:56 282654 ----a-w- c:\windows\system32\msaud32.acm
2009-08-25 09:47 . 2004-08-04 01:56 352256 ----a-w- c:\windows\system32\winhttp.dll
2009-08-05 09:11 . 2004-08-04 01:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 01:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-06-25 18:36 . 2004-08-04 01:56 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 01:56 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 01:56 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 01:56 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 01:56 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 01:56 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 01:56 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 01:56 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 01:56 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 01:56 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 01:56 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 01:56 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:17 . 2004-08-04 01:56 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-22 11:49 . 2004-08-04 01:56 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 01:56 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-04 01:56 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-03 23:58 91776 -c--a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:35 . 2004-08-03 23:59 92544 -c--a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 11:49 . 2004-08-04 01:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-05-07 15:44 . 2004-08-04 01:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-03-25 05:54 . 2007-07-22 13:31 39424 ----a-w- c:\windows\apppatch\acadproc.dll
2009-03-06 14:00 . 2004-08-04 01:56 284160 ----a-w- c:\windows\system32\pdh.dll
2009-02-09 10:01 . 2004-08-04 01:56 617984 ----a-w- c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 01:56 715264 ----a-w- c:\windows\system32\ntdll.dll
2009-02-06 18:46 . 2004-08-04 01:56 408064 ----a-w- c:\windows\system32\netlogon.dll
2009-02-06 10:22 . 2004-08-04 01:56 110592 ----a-w- c:\windows\system32\services.exe
2009-02-06 09:54 . 2001-08-23 14:00 35328 ----a-w- c:\windows\system32\sc.exe
2008-11-07 04:18 . 2004-08-04 01:56 1386496 ----a-w- c:\windows\system32\msvbvm60.dll
2008-08-14 09:48 . 2004-08-04 00:14 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2008-06-20 17:36 . 2004-08-04 01:56 245248 ----a-w- c:\windows\system32\mswsock.dll
2007-12-18 09:51 . 2004-08-04 00:00 179584 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2007-12-04 18:38 . 2004-08-04 01:56 550912 ----a-w- c:\windows\system32\oleaut32.dll
2007-07-22 13:37 . 2004-08-27 23:42 35456 -c--a-w- c:\windows\system32\drivers\processr.sys
2007-07-22 13:37 . 2004-08-04 00:56 35328 ----a-w- c:\windows\system32\pid.dll
2007-07-22 13:37 . 2004-08-04 00:56 15360 ----a-w- c:\windows\system32\pjlmon.dll
2007-07-22 13:37 . 2004-08-04 00:56 52224 ----a-w- c:\windows\system32\dmutil.dll
2007-07-22 13:37 . 2004-08-04 00:56 20992 ----a-w- c:\windows\system32\hid.dll
2007-07-22 13:37 . 2004-08-04 00:56 47104 ----a-w- c:\windows\system32\cnbjmon.dll
2007-07-22 13:37 . 2004-08-03 23:09 25472 -c--a-w- c:\windows\system32\drivers\sonydcam.sys
2007-07-22 13:37 . 2004-08-03 23:08 16000 -c--a-w- c:\windows\system32\drivers\usbintel.sys
2007-07-22 13:37 . 2004-08-03 23:08 30080 -c--a-w- c:\windows\system32\drivers\modem.sys
2007-07-22 13:37 . 2004-08-03 23:07 15488 ----a-w- c:\windows\system32\drivers\mssmbios.sys
2007-07-22 13:37 . 2004-08-03 23:07 63744 -c--a-w- c:\windows\system32\drivers\mf.sys
2007-07-22 13:37 . 2004-08-03 23:03 12416 -c--a-w- c:\windows\system32\drivers\tunmp.sys
2007-07-22 13:37 . 2004-08-03 22:59 37376 -c--a-w- c:\windows\system32\drivers\amdk7.sys
2007-07-22 13:37 . 2004-08-03 22:59 36480 -c--a-w- c:\windows\system32\drivers\crusoe.sys
2007-07-22 13:37 . 2004-08-03 22:59 42496 -c--a-w- c:\windows\system32\drivers\p3.sys
2007-07-22 13:37 . 2004-08-03 22:59 36992 -c--a-w- c:\windows\system32\drivers\amdk6.sys
2007-07-22 13:37 . 2004-08-03 22:59 80128 ----a-w- c:\windows\system32\drivers\parport.sys
2007-07-22 13:37 . 2004-08-03 22:58 4352 ----a-w- c:\windows\system32\drivers\swenum.sys
2007-07-22 13:37 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2007-07-22 13:37 . 2004-08-03 22:58 61824 -c--a-w- c:\windows\system32\drivers\nic1394.sys
2007-07-22 13:37 . 2004-08-03 22:58 60800 -c--a-w- c:\windows\system32\drivers\arp1394.sys
2007-07-22 13:37 . 2001-08-17 22:37 77891 ----a-w- c:\windows\system32\usrmlnka.exe
2007-07-22 13:37 . 2001-08-17 22:37 69700 ----a-w- c:\windows\system32\usrshuta.exe
2007-07-22 13:37 . 2001-08-17 22:37 61508 ----a-w- c:\windows\system32\usrprbda.exe
2007-07-22 13:37 . 2001-08-17 22:36 55296 ----a-w- c:\windows\system32\dvdplay.exe
2007-07-22 13:37 . 2001-08-17 22:36 3200 ----a-w- c:\windows\system32\wowfax.dll
2007-07-22 13:37 . 2001-08-17 22:36 13824 ----a-w- c:\windows\system32\wowfaxui.dll
2007-07-22 13:37 . 2001-08-17 22:36 86073 ----a-w- c:\windows\system32\usrfaxa.dll
2007-07-22 13:37 . 2001-08-17 22:36 77890 ----a-w- c:\windows\system32\usrdpa.dll
2007-07-22 13:37 . 2001-08-17 22:36 77883 ----a-w- c:\windows\system32\usrrtosa.dll
2007-07-22 13:37 . 2001-08-17 22:36 69699 ----a-w- c:\windows\system32\usrcoina.dll
2007-07-22 13:37 . 2001-08-17 22:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
2007-07-22 13:37 . 2001-08-17 22:36 53305 ----a-w- c:\windows\system32\usrlbva.dll
2007-07-22 13:37 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrvpa.dll
2007-07-22 13:37 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrsdpia.dll
2007-07-22 13:37 . 2001-08-17 22:36 49209 ----a-w- c:\windows\system32\usrv80a.dll
2007-07-22 13:37 . 2001-08-17 22:36 45116 ----a-w- c:\windows\system32\usrvoica.dll
2007-07-22 13:37 . 2001-08-17 22:36 41019 ----a-w- c:\windows\system32\usrsvpia.dll
2007-07-22 13:37 . 2001-08-17 22:36 323641 ----a-w- c:\windows\system32\usrdtea.dll
2007-07-22 13:37 . 2001-08-17 22:36 102457 ----a-w- c:\windows\system32\usrv42a.dll
2007-07-22 13:37 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\streamci.dll
2007-07-22 13:37 . 2001-08-17 22:36 72192 ----a-w- c:\windows\system32\sprio800.dll
2007-07-22 13:37 . 2001-08-17 22:36 70656 ----a-w- c:\windows\system32\sprio600.dll
2008-07-21 16:49 . 2008-07-21 16:49 44360 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-07-21 16:49 . 2008-07-21 16:49 107928 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((( SnapShot_2011-01-18_21.14.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-01 00:58 . 2005-06-01 00:58 16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
- 2001-08-23 14:00 . 2011-01-18 19:15 69008 c:\windows\system32\perfc009.dat
+ 2001-08-23 14:00 . 2005-06-01 01:03 69008 c:\windows\system32\perfc009.dat
+ 2011-01-18 23:08 . 2010-12-20 18:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2011-01-18 23:08 . 2010-12-20 18:08 20952 c:\windows\system32\drivers\mbam.sys
+ 2004-08-03 23:59 . 2005-06-01 00:30 95360 c:\windows\system32\drivers\atapi.sys
- 2004-08-03 23:59 . 2004-08-03 21:59 95360 c:\windows\system32\drivers\atapi.sys
- 2001-08-23 14:00 . 2011-01-18 19:15 436470 c:\windows\system32\perfh009.dat
+ 2001-08-23 14:00 . 2005-06-01 01:03 436470 c:\windows\system32\perfh009.dat
+ 2011-01-18 21:58 . 2011-01-18 21:58 2283008 c:\windows\Installer\9a4d7e.msi
+ 2011-01-18 22:24 . 2011-01-18 22:24 1094656 c:\windows\Installer\3a83a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-16 16248320]
"SkyTel"="SkyTel.EXE" [2006-08-16 2879488]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-08 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\Kenny\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-8-27 95232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-08-16 10:20 53248 ----a-w- c:\program files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 18:52 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 07:00 33648 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 23:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-12 20:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-05-14 15:38 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-18 16:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-08 01:25 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/09/2005 21:21 294608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 02:56 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/09/2005 21:21 17744]
S2 aregse;Server Time;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 dolhnzdo;Security Time;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 gikvuyq;Windows Task;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 gupdate1ca4904a224d4a0;Google Update Service (gupdate1ca4904a224d4a0);c:\program files\Google\Update\GoogleUpdate.exe [09/10/2009 18:19 133104]
S2 jwnio;Shell Config;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 pmwnob;Network Config;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 pwvzvpvg;Boot Windows;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 qimskjxc;Manager Update;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 vylsgys;Manager Monitor;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 wskkii;Manager Windows;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 wsrer;Task Boot;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S2 yweabxh;Driver Center;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 02:56 14336]
S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [28/02/2008 10:55 86656]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [28/02/2008 10:55 28928]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [20/05/2009 18:24 101120]
S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [27/10/2008 21:26 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vylsgys
pwvzvpvg
dolhnzdo
gikvuyq
wsrer
pmwnob
wskkii
yweabxh
qimskjxc
aregse
jwnio
.
Contents of the 'Scheduled Tasks' folder

2005-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-09 17:19]

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-09 17:19]

2005-06-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-01-07 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\bn9yh03m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: DOM Inspector: inspector@mozilla.org - %profile%\extensions\inspector@mozilla.org
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
SafeBoot-klmdb.sys
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2005-06-01 02:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2005-06-01 02:13:08
ComboFix-quarantined-files.txt 2005-06-01 01:13
ComboFix2.txt 2011-01-18 21:17
ComboFix3.txt 2011-01-05 23:06
ComboFix4.txt 2011-01-05 22:20

Pre-Run: 596,594,688 bytes free
Post-Run: 599,101,440 bytes free

- - End Of File - - 4580F50C818B07B006D3BCF4EE77B764

#4 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:09 AM

Posted 21 January 2011 - 09:57 AM

hi again - just tested Google - redirect has gone - whoooopie - thanks

I look forward to your next post

kenny

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 21 January 2011 - 09:49 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
vylsgys
pwvzvpvg
dolhnzdo
gikvuyq
wsrer
pmwnob
wskkii
yweabxh
qimskjxc
aregse
jwnio

Driver::
vylsgys
pwvzvpvg
dolhnzdo
gikvuyq
wsrer
pmwnob
wskkii
yweabxh
qimskjxc
aregse
jwnio

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:09 AM

Posted 22 January 2011 - 05:25 PM

Hi again

here is the latest Combofix log
followed by Hijackthis


ComboFix 11-01-20.03 - Kenny 22/01/2011 12:37:06.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.624 [GMT 0:00]
Running from: c:\documents and settings\Kenny\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kenny\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AREGSE
-------\Legacy_DOLHNZDO
-------\Legacy_GIKVUYQ
-------\Legacy_JWNIO
-------\Legacy_PMWNOB
-------\Legacy_PWVZVPVG
-------\Legacy_QIMSKJXC
-------\Legacy_VYLSGYS
-------\Legacy_WSKKII
-------\Legacy_WSRER
-------\Legacy_YWEABXH
-------\Service_aregse
-------\Service_dolhnzdo
-------\Service_gikvuyq
-------\Service_jwnio
-------\Service_pmwnob
-------\Service_pwvzvpvg
-------\Service_qimskjxc
-------\Service_vylsgys
-------\Service_wskkii
-------\Service_wsrer
-------\Service_yweabxh


((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
.

2011-01-21 19:50 . 2011-01-21 19:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-21 19:02 . 2011-01-21 19:02 3584 ----a-r- c:\documents and settings\Kenny\Application Data\Microsoft\Installer\{121634B0-2F4A-11D3-ADA3-00C04F52DD53}\Icon386ED4E3.exe
2011-01-21 19:02 . 2011-01-21 19:02 -------- d-----w- c:\program files\Windows Installer Clean Up
2011-01-18 23:29 . 2011-01-18 23:29 -------- d-----w- c:\program files\ESET
2011-01-18 23:08 . 2011-01-18 23:08 -------- d-----w- c:\documents and settings\Kenny\Application Data\Malwarebytes
2011-01-18 23:08 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-18 23:08 . 2011-01-18 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-18 23:08 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 22:24 . 2011-01-18 22:24 388096 ----a-r- c:\documents and settings\Kenny\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-18 21:50 . 2011-01-18 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-01-17 21:24 . 2011-01-17 21:24 -------- d-----w- c:\documents and settings\Kenny\Application Data\etoys
2011-01-17 21:23 . 2010-06-07 07:01 57344 ----a-w- c:\program files\Mozilla Firefox\plugins\NPSqueak.dll
2011-01-09 22:28 . 2011-01-09 22:28 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-01-09 22:28 . 2011-01-09 22:28 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-01-07 14:49 . 2011-01-07 14:49 -------- d-----w- c:\windows\system32\KB905474
2011-01-06 20:01 . 2011-01-06 20:01 95360 ----a-w- c:\windows\system32\drivers\wzyvbrxi.sys
2011-01-06 20:00 . 2009-10-20 14:41 265728 -c----w- c:\windows\system32\dllcache\http.sys
2011-01-06 19:58 . 2011-01-12 17:59 -------- d-----w- c:\windows\system32\MpEngineStore
2011-01-06 18:10 . 2011-01-06 18:10 -------- d-----w- c:\documents and settings\Kenny\Local Settings\Application Data\PCHealth
2011-01-06 15:07 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2011-01-06 15:05 . 2010-06-14 15:13 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-01-05 15:37 . 2011-01-18 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\a
2011-01-03 20:55 . 2011-01-03 20:55 -------- d-----w- c:\windows\speech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2005-09-17 20:20 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2005-09-17 20:21 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2005-09-17 20:21 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2005-09-17 20:21 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2005-09-17 20:21 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2005-09-17 20:21 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2005-09-17 20:21 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2005-09-17 20:21 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-31 20:06 . 2005-09-17 20:20 38848 ----a-w- c:\windows\avastSS.scr
2008-07-21 16:49 . 2008-07-21 16:49 44360 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-07-21 16:49 . 2008-07-21 16:49 107928 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-16 16248320]
"SkyTel"="SkyTel.EXE" [2006-08-16 2879488]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-08 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\Kenny\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-08-16 10:20 53248 ----a-w- c:\program files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 18:52 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 07:00 33648 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 23:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-12 20:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-05-14 15:38 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-18 16:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-08 01:25 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/09/2005 20:21 294608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 01:56 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/09/2005 20:21 17744]
S2 gupdate1ca4904a224d4a0;Google Update Service (gupdate1ca4904a224d4a0);c:\program files\Google\Update\GoogleUpdate.exe [09/10/2009 17:19 133104]
S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [28/02/2008 09:55 86656]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [28/02/2008 09:55 28928]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [20/05/2009 17:24 101120]
S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [27/10/2008 20:26 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-09 17:19]

2011-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-09 17:19]

2011-01-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-01-07 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\bn9yh03m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: DOM Inspector: inspector@mozilla.org - %profile%\extensions\inspector@mozilla.org
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-22 19:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_asw_aisI.tm~a02412
c:\windows\TEMP\_asw_aisI.tm~a02412\nmp.map 26583 bytes
c:\windows\TEMP\_asw_aisI.tm~a02412\onefile 796 bytes
c:\windows\TEMP\_asw_aisI.tm~a02412\setup.lok 0 bytes
c:\windows\TEMP\_asw_aisI.tm~a02412\sig.bin 226107 bytes

scan completed successfully
hidden files: 5

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\wpdshserviceobj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\Kenny\LOCALS~1\Temp\RtkBtMnt.exe



c:\progra~1\COMMON~1\MICROS~1\DW\DW20.EXE
.
**************************************************************************
.
Completion time: 2011-01-22 19:32:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-22 19:32
ComboFix2.txt 2005-06-01 01:13
ComboFix3.txt 2011-01-18 21:17
ComboFix4.txt 2011-01-05 23:06
ComboFix5.txt 2011-01-22 12:34

Pre-Run: 222,314,496 bytes free
Post-Run: 514,572,288 bytes free

- - End Of File - - AC81A22E04F403146A39A37B85EB0B41


============================================================================================================================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:02:18, on 22/01/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21256)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\Kenny\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=104795&clcid=0x409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB003" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} -
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.170,93.188.166.58
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca4904a224d4a0) (gupdate1ca4904a224d4a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6771 bytes

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 22 January 2011 - 08:13 PM

Ok, update and run a full scan with Malwarebytes'.. Remove everything that it found..
How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:09 AM

Posted 23 January 2011 - 06:44 PM

hi here's the MBAM log

computer is free of redirects and seems faster than before.

always seems to be one piece of malware remaining!! - hopefully that's it

are we done?

Kenny

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5581

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

23/01/2011 23:41:05
mbam-log-2011-01-23 (23-41-05).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 284584
Time elapsed: 1 hour(s), 15 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 23 January 2011 - 11:13 PM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:09 AM

Posted 24 January 2011 - 06:04 AM

Hi fenzodahl,

The re-direct is gone.

The computer seems to be running faster.

I'll read all those articles now and try to avoid getting infected again.

THANK YOU very much for your time and trouble.

Kenny

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 24 January 2011 - 12:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users