Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus - Going on Earth


  • This topic is locked This topic is locked
28 replies to this topic

#1 pikmin

pikmin

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 May 2011 - 06:04 PM

Hi. I need help with removing a redirecting virus that keeps redirecting me to a web page called goingoneath.com. I tried running TDSSKiller after renaming it but it will not open. I also ran Malwarebytes AntiMalware but it is not detecting viruses. Thanks in advance!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by david at 18:58:30.32 on 01/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.260 [GMT -4:00]
.
AV: Live PC Care *Enabled/Updated* {5F8ABA41-281C-4E39-8DD2-6CF8C01CC965}
FW: Live PC Care *Enabled*
FW: COMODO Firewall Pro *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\PSIA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\sua.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\david\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {18BC7C93-E6D3-4999-AD25-A6844FD6A524} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1B598006-49BB-48AF-B638-062B54927D02} - No File
BHO: {46D8185D-BA05-4100-8161-788613DE8FC2} - No File
BHO: {5AC255BE-B15A-41CC-9C07-56377D64FB4A} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6C1AE883-3A9C-4F3E-B9B0-328649DAA21E} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: {8A25D15B-16BB-4D42-9EE0-EF38D4D41518} - No File
BHO: {8AF06CDE-7D73-4EE3-B46D-88CD72000CFB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {96DC4D46-815A-4E7D-B51D-E87FB35B3EC9} - No File
BHO: {9789CE7B-CFE6-4B4A-B59B-8348ED42FBCB} - No File
BHO: {9DC1A021-465F-4E35-914D-9F48D15FE61F} - No File
BHO: {AAFD5369-31D1-43AA-811F-B3817BE24FA5} - No File
BHO: {C9C557EF-E3D7-4D19-9353-63E1B6BDF84B} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {dc038be6-df19-4945-bc65-858f3f393bce} - No File
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F63472A5-F2CF-4652-868D-380B8E33AB5B} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189215636687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: urqPhecD - urqPhecD.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\ksgtfrfs.default\
FF - prefs.js: browser.search.selectedEngine - Informative Google Search
FF - prefs.js: browser.startup.homepage - hxxp://search.swagbucks.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\ksgtfrfs.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-26 54752]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\documents and settings\dad_2\my documents\downloads\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\documents and settings\dad_2\my documents\downloads\psi\sua.exe [2011-1-10 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 Normandy;Normandy SR2; [x]
S3 vim;vim;c:\windows\system32\drivers\vim.sys [2008-11-15 5248]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-04-17 16:50:20 -------- d-----w- c:\docume~1\david\locals~1\applic~1\Secunia PSI
2011-04-17 16:34:19 -------- d-----w- c:\docume~1\david\applic~1\HpUpdate
2011-04-17 05:04:34 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-14 07:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-07 00:24:17 90112 --sha-r- c:\windows\system32\sprio600O.dll
2011-04-07 00:24:17 90112 --sha-r- c:\windows\system32\ipxpromn9.dll
.
==================== Find3M ====================
.
2011-03-05 17:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 18:59:03.76 ===============

I have now been able to open TDSSKiller but the program can not find any viruses. I am still being redirected from google to a website called goingonearth.com here is my updated logs.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by david at 23:11:15.28 on 03/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.225 [GMT -4:00]
.
AV: Live PC Care *Enabled/Updated* {5F8ABA41-281C-4E39-8DD2-6CF8C01CC965}
FW: Live PC Care *Enabled*
FW: COMODO Firewall Pro *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\PSIA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\sua.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\david\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {18BC7C93-E6D3-4999-AD25-A6844FD6A524} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1B598006-49BB-48AF-B638-062B54927D02} - No File
BHO: {46D8185D-BA05-4100-8161-788613DE8FC2} - No File
BHO: {5AC255BE-B15A-41CC-9C07-56377D64FB4A} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6C1AE883-3A9C-4F3E-B9B0-328649DAA21E} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: {8A25D15B-16BB-4D42-9EE0-EF38D4D41518} - No File
BHO: {8AF06CDE-7D73-4EE3-B46D-88CD72000CFB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {96DC4D46-815A-4E7D-B51D-E87FB35B3EC9} - No File
BHO: {9789CE7B-CFE6-4B4A-B59B-8348ED42FBCB} - No File
BHO: {9DC1A021-465F-4E35-914D-9F48D15FE61F} - No File
BHO: {AAFD5369-31D1-43AA-811F-B3817BE24FA5} - No File
BHO: {C9C557EF-E3D7-4D19-9353-63E1B6BDF84B} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {dc038be6-df19-4945-bc65-858f3f393bce} - No File
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F63472A5-F2CF-4652-868D-380B8E33AB5B} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189215636687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: urqPhecD - urqPhecD.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\ksgtfrfs.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.swagbucks.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\ksgtfrfs.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-26 54752]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\documents and settings\dad_2\my documents\downloads\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\documents and settings\dad_2\my documents\downloads\psi\sua.exe [2011-1-10 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 Normandy;Normandy SR2; [x]
S3 vim;vim;c:\windows\system32\drivers\vim.sys [2008-11-15 5248]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-04-17 16:50:20 -------- d-----w- c:\docume~1\david\locals~1\applic~1\Secunia PSI
2011-04-17 16:34:19 -------- d-----w- c:\docume~1\david\applic~1\HpUpdate
2011-04-17 05:04:34 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-14 07:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-07 00:24:17 90112 --sha-r- c:\windows\system32\sprio600O.dll
2011-04-07 00:24:17 90112 --sha-r- c:\windows\system32\ipxpromn9.dll
.
==================== Find3M ====================
.
2011-03-05 17:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 23:11:50.56 ===============

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 04 May 2011 - 01:26 AM.


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 PM

Posted 09 May 2011 - 02:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 pikmin

pikmin
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 09 May 2011 - 08:01 PM

Hello here is my second update
I am still currently experiencing problems with a Google redirecting virus that has the web address: http://www.adopteesearchcenter.org/ every time I try to open a Google link. Thank you again for your support.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by david at 20:32:16.06 on 09/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.447 [GMT -4:00]
.
AV: Live PC Care *Enabled/Updated* {5F8ABA41-281C-4E39-8DD2-6CF8C01CC965}
FW: Live PC Care *Enabled*
FW: COMODO Firewall Pro *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\PSIA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\sua.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Documents and Settings\david\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {18BC7C93-E6D3-4999-AD25-A6844FD6A524} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1B598006-49BB-48AF-B638-062B54927D02} - No File
BHO: {46D8185D-BA05-4100-8161-788613DE8FC2} - No File
BHO: {5AC255BE-B15A-41CC-9C07-56377D64FB4A} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6C1AE883-3A9C-4F3E-B9B0-328649DAA21E} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: {8A25D15B-16BB-4D42-9EE0-EF38D4D41518} - No File
BHO: {8AF06CDE-7D73-4EE3-B46D-88CD72000CFB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {96DC4D46-815A-4E7D-B51D-E87FB35B3EC9} - No File
BHO: {9789CE7B-CFE6-4B4A-B59B-8348ED42FBCB} - No File
BHO: {9DC1A021-465F-4E35-914D-9F48D15FE61F} - No File
BHO: {AAFD5369-31D1-43AA-811F-B3817BE24FA5} - No File
BHO: {C9C557EF-E3D7-4D19-9353-63E1B6BDF84B} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {dc038be6-df19-4945-bc65-858f3f393bce} - No File
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F63472A5-F2CF-4652-868D-380B8E33AB5B} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189215636687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: urqPhecD - urqPhecD.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\ksgtfrfs.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.swagbucks.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\ksgtfrfs.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-26 54752]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\documents and settings\dad_2\my documents\downloads\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\documents and settings\dad_2\my documents\downloads\psi\sua.exe [2011-1-10 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 Normandy;Normandy SR2; [x]
S3 vim;vim;c:\windows\system32\drivers\vim.sys [2008-11-15 5248]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-05-08 18:53:14 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-08 18:53:14 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-08 18:52:50 -------- d-----w- c:\program files\Bonjour
2011-05-06 02:05:16 -------- d--h--w- c:\windows\PIF
2011-04-17 16:50:20 -------- d-----w- c:\docume~1\david\locals~1\applic~1\Secunia PSI
2011-04-17 16:34:19 -------- d-----w- c:\docume~1\david\applic~1\HpUpdate
2011-04-17 05:04:34 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-14 07:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-04-07 00:24:17 90112 --sha-r- c:\windows\system32\sprio600O.dll
2011-04-07 00:24:17 90112 --sha-r- c:\windows\system32\ipxpromn9.dll
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-05 17:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 20:32:46.43 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:53 AM

Posted 10 May 2011 - 04:26 PM

Hi pikmin,

Apologies for the delay. I will be assisting you.

  • Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    c:\windows\system32\drivers\vim.sys

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.
  • Please download TDSSKiller.zip and and extract it.
    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Let reboot if needed and tell me if the tool needed a reboot.
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.
  • Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Click Run Scan button.
    • Two reports will open, copy and paste OTL.tx and attach Extra.txt to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


#5 pikmin

pikmin
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 15 May 2011 - 05:21 PM

Hello Farbar!
I have a problem with TDSSKiller.After it had finished scanning my computer it showed that the system scan was completed and that there were not infections found. It did not show a list of detected objects so I could not post the contents in this reply, sorry.I was able to retrieve the OTL files though.
OTL logfile created on: 15/05/2011 5:57:55 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\david\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 441.00 Mb Available Physical Memory | 43.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.34 Gb Total Space | 4.15 Gb Free Space | 13.69% Space Free | Partition Type: NTFS
Drive D: | 29.29 Gb Total Space | 28.11 Gb Free Space | 95.97% Space Free | Partition Type: NTFS
Drive E: | 29.29 Gb Total Space | 29.22 Gb Free Space | 99.74% Space Free | Partition Type: NTFS
Drive F: | 39.07 Gb Total Space | 13.24 Gb Free Space | 33.89% Space Free | Partition Type: NTFS
Drive I: | 3.62 Gb Total Space | 0.31 Gb Free Space | 8.46% Space Free | Partition Type: FAT32

Computer Name: HUYNH-2FYIRNRU8 | User Name: david | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/15 17:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\david\My Documents\Downloads\OTL.exe
PRC - [2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\david\My Documents\Downloads\tdsskiller(1)\TDSSKiller.exe
PRC - [2011/05/01 15:56:35 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/10 10:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\PSIA.exe
PRC - [2011/01/10 10:24:20 | 000,399,416 | ---- | M] (Secunia) -- C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\sua.exe
PRC - [2009/05/15 08:35:52 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/14 22:46:00 | 000,131,072 | ---- | M] (Brio) -- C:\Program Files\FolderSize\FolderSizeSvc.exe
PRC - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2011/05/15 17:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\david\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/01/10 10:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/01/10 10:24:20 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Documents and Settings\Dad_2\My Documents\Downloads\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2009/05/15 08:35:52 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2007/11/14 22:46:00 | 000,131,072 | ---- | M] (Brio) [Auto | Running] -- C:\Program Files\FolderSize\FolderSizeSvc.exe -- (FolderSize)
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/09/01 04:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2008/11/15 13:39:31 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vim.sys -- (vim)
DRV - [2008/04/13 14:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/11/21 01:48:20 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2005/04/01 08:25:00 | 000,230,272 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/03/01 16:01:40 | 000,392,704 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/09/14 16:55:44 | 000,088,960 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1177238915-299502267-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1177238915-299502267-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://search.swagbucks.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2
FF - prefs.js..extensions.enabledItems: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}:3.2.5.2
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {ea848344-1e6a-43e9-9cf8-301358888a43}:0.1.6
FF - prefs.js..keyword.URL: "chrome://browser-region/locale/region.properties"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 15:56:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/26 22:13:29 | 000,000,000 | ---D | M]

[2009/03/09 22:42:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\david\Application Data\Mozilla\Extensions
[2009/03/09 22:42:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\david\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011/05/15 17:49:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions
[2009/02/11 18:29:14 | 000,000,000 | ---D | M] (Foxkeh Theme) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\{57407AE0-868F-11DC-AD21-49A755D89593}
[2011/05/15 17:49:12 | 000,000,000 | ---D | M] (Swag Bucks Community Toolbar) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
[2008/08/29 14:18:45 | 000,000,000 | ---D | M] (JetFox Aqua) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\{bdf8fec0-4c8b-11dd-ae16-0800200c9a66}
[2010/12/31 22:56:33 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2010/06/19 14:43:32 | 000,000,000 | ---D | M] (Purity) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\{ea848344-1e6a-43e9-9cf8-301358888a43}
[2011/05/14 22:11:52 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\engine@conduit.com
[2009/02/11 18:26:13 | 000,000,000 | ---D | M] (G-Fox Theme) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\G-Fox@mozillaonline.com
[2011/03/27 14:20:42 | 000,000,000 | ---D | M] (Personas) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\personas@christopher.beard
[2010/06/19 14:43:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\extensions\{ea848344-1e6a-43e9-9cf8-301358888a43}\chrome\mozapps\extensions
[2011/04/20 18:33:49 | 000,000,914 | ---- | M] () -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\searchplugins\dictionarycom.xml
[2011/04/25 10:48:34 | 000,002,572 | ---- | M] () -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\searchplugins\informative-google-search.xml
[2010/06/05 23:39:13 | 000,000,911 | ---- | M] () -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\searchplugins\thesauruscom.xml
[2011/04/17 00:32:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/02 22:54:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/04/17 00:32:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\DAVID\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\KSGTFRFS.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2008/12/04 19:29:40 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/01 15:56:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/06/06 20:14:20 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

Hosts file not found
O2 - BHO: (no name) - {18BC7C93-E6D3-4999-AD25-A6844FD6A524} - No CLSID value found.
O2 - BHO: (no name) - {1B598006-49BB-48AF-B638-062B54927D02} - No CLSID value found.
O2 - BHO: (no name) - {46D8185D-BA05-4100-8161-788613DE8FC2} - No CLSID value found.
O2 - BHO: (no name) - {5AC255BE-B15A-41CC-9C07-56377D64FB4A} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {6C1AE883-3A9C-4F3E-B9B0-328649DAA21E} - No CLSID value found.
O2 - BHO: (no name) - {8A25D15B-16BB-4D42-9EE0-EF38D4D41518} - No CLSID value found.
O2 - BHO: (no name) - {8AF06CDE-7D73-4EE3-B46D-88CD72000CFB} - No CLSID value found.
O2 - BHO: (no name) - {96DC4D46-815A-4E7D-B51D-E87FB35B3EC9} - No CLSID value found.
O2 - BHO: (no name) - {9789CE7B-CFE6-4B4A-B59B-8348ED42FBCB} - No CLSID value found.
O2 - BHO: (no name) - {9DC1A021-465F-4E35-914D-9F48D15FE61F} - No CLSID value found.
O2 - BHO: (no name) - {AAFD5369-31D1-43AA-811F-B3817BE24FA5} - No CLSID value found.
O2 - BHO: (no name) - {C9C557EF-E3D7-4D19-9353-63E1B6BDF84B} - No CLSID value found.
O2 - BHO: (no name) - {dc038be6-df19-4945-bc65-858f3f393bce} - No CLSID value found.
O2 - BHO: (no name) - {F63472A5-F2CF-4652-868D-380B8E33AB5B} - No CLSID value found.
O3 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - Startup: C:\Documents and Settings\Dad_2\Start Menu\Programs\Startup\LimeWire On Startup.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189215636687 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\urqPhecD: DllName - urqPhecD.dll - File not found
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/25 19:45:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{065e0c34-b342-11dc-8761-0017ee75cc68}\Shell - "" = AutoRun
O33 - MountPoints2\{065e0c34-b342-11dc-8761-0017ee75cc68}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{065e0c34-b342-11dc-8761-0017ee75cc68}\Shell\AutoRun\command - "" = H:\LaunchU3.exe
O33 - MountPoints2\{073d4d97-5ba5-11df-81e4-0018f30abed9}\Shell - "" = AutoRun
O33 - MountPoints2\{073d4d97-5ba5-11df-81e4-0018f30abed9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{073d4d97-5ba5-11df-81e4-0018f30abed9}\Shell\AutoRun\command - "" = H:\AutoRun.EXE
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/08 17:14:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/05/08 14:57:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/05/08 14:53:14 | 004,184,352 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2011/05/08 14:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/05/05 22:05:16 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/05/03 23:11:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\david\Desktop\Bleeping Computer
[2011/05/02 22:33:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/04/27 22:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\david\Desktop\Keys
[2011/04/27 21:51:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/17 12:50:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\david\Local Settings\Application Data\Secunia PSI
[2011/04/17 12:49:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/04/17 12:34:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\david\Application Data\HpUpdate
[2011/04/17 01:04:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Hewlett-Packard
[2011/04/17 00:33:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/04/17 00:32:29 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/17 00:32:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/17 00:32:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/17 00:09:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/04/16 23:00:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\david\My Documents\*.tmp files -> C:\Documents and Settings\david\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/15 18:00:00 | 000,000,268 | -H-- | M] () -- C:\WINDOWS\tasks\A9CB56979184CD9F.job
[2011/05/15 17:47:49 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\Juqvwqah.job
[2011/05/15 17:47:47 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\IAWJUWDG.job
[2011/05/15 17:47:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/14 21:00:30 | 000,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/10 01:55:43 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\david\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/05/08 14:57:01 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/05/05 21:36:41 | 000,001,830 | ---- | M] () -- C:\Documents and Settings\david\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to System Tools.lnk
[2011/05/03 23:00:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\david\defogger_reenable
[2011/04/29 00:06:50 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\david\Desktop\Microsoft Publisher 2003.lnk
[2011/04/27 23:27:09 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/04/27 22:46:12 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\david\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/17 00:25:14 | 000,442,316 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/17 00:25:14 | 000,072,222 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\david\My Documents\*.tmp files -> C:\Documents and Settings\david\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/08 14:57:01 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/05/03 23:00:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\david\defogger_reenable
[2011/04/27 22:46:12 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\david\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/17 12:50:44 | 000,002,311 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/04/17 00:11:33 | 000,000,970 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Secunia PSI.lnk
[2011/04/06 21:04:18 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~19849012r
[2011/04/06 21:04:18 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~19849012
[2011/04/06 21:04:13 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\19849012
[2011/04/06 20:24:17 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\sprio600O.dll
[2011/04/06 20:24:17 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\ipxpromn9.dll
[2011/04/06 20:07:44 | 000,016,448 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/03/27 18:52:30 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756r
[2011/03/27 18:52:30 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756
[2011/03/27 18:52:05 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18472756
[2010/09/26 10:28:44 | 000,041,516 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/07 17:03:27 | 000,000,004 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
[2010/03/04 21:05:08 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/04 20:34:05 | 000,004,767 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/07/01 01:01:17 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2009/05/20 23:50:28 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/02/06 18:36:07 | 000,000,621 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2008/11/15 13:25:40 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\vim.sys
[2008/07/26 20:11:34 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\impborl.dll
[2008/07/24 12:46:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/07/20 16:49:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/07 20:18:28 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\david\Local Settings\Application Data\fusioncache.dat
[2008/05/04 13:52:22 | 000,124,401 | ---- | C] () -- C:\WINDOWS\HPHins12.dat
[2008/05/04 13:52:22 | 000,014,916 | ---- | C] () -- C:\WINDOWS\hphmdl12.dat
[2008/05/04 13:48:27 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2008/04/13 02:56:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2008/04/13 02:56:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2008/04/13 02:56:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008/04/13 02:56:36 | 000,049,152 | ---- | C] () -- C:\WINDOWS\VFind.exe
[2008/04/09 07:21:00 | 000,000,534 | -HS- | C] () -- C:\WINDOWS\System32\kjoibtwk.ini
[2008/04/07 07:33:01 | 000,000,414 | -HS- | C] () -- C:\WINDOWS\System32\dyxogtpr.ini
[2008/04/05 23:55:00 | 000,000,654 | -HS- | C] () -- C:\WINDOWS\System32\putrcssh.ini
[2008/04/05 03:27:03 | 000,000,474 | -HS- | C] () -- C:\WINDOWS\System32\xyiombul.ini
[2008/04/04 09:57:54 | 000,000,354 | -HS- | C] () -- C:\WINDOWS\System32\gfpirlic.ini
[2008/04/04 06:49:37 | 000,000,294 | -HS- | C] () -- C:\WINDOWS\System32\mmhlsqji.ini
[2008/03/24 01:58:49 | 000,000,220 | -HS- | C] () -- C:\WINDOWS\System32\ss.drv
[2008/03/24 01:58:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WB3USER.INI
[2008/01/05 15:02:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2007/05/06 20:45:42 | 000,001,136 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/05/05 14:01:45 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/05/05 13:32:48 | 000,187,392 | ---- | C] () -- C:\Documents and Settings\david\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/25 21:57:11 | 000,001,762 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/04/25 21:13:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/04/25 19:50:29 | 000,011,001 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/04/25 19:50:26 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/04/25 19:46:38 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/04/25 19:42:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/04/25 15:35:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/04/25 15:34:30 | 000,215,264 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,442,316 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,072,222 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

Attached Files


Edited by pikmin, 15 May 2011 - 05:25 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:53 AM

Posted 16 May 2011 - 01:01 AM

Could you please post the result of the first step.

In addition do the same for this file:

C:\WINDOWS\System32\ss.drv

Edited by farbar, 16 May 2011 - 01:21 AM.


#7 pikmin

pikmin
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 16 May 2011 - 07:41 PM

Sorry I forgot to post this:

For C:\WINDOWS\System32\ss.drv :

Antivirus Version Last Update Result
AhnLab-V3 2011.05.17.00 2011.05.16 -
AntiVir 7.11.8.37 2011.05.16 -
Antiy-AVL 2.0.3.7 2011.05.17 -
Avast 4.8.1351.0 2011.05.16 -
Avast5 5.0.677.0 2011.05.16 -
AVG 10.0.0.1190 2011.05.16 -
BitDefender 7.2 2011.05.17 -
CAT-QuickHeal 11.00 2011.05.16 -
ClamAV 0.97.0.0 2011.05.17 -
Commtouch 5.3.2.6 2011.05.16 -
Comodo 8727 2011.05.17 -
DrWeb 5.0.2.03300 2011.05.17 -
Emsisoft 5.1.0.5 2011.05.16 -
eSafe 7.0.17.0 2011.05.15 -
eTrust-Vet 36.1.8330 2011.05.16 -
F-Prot 4.6.2.117 2011.05.16 -
F-Secure 9.0.16440.0 2011.05.17 -
Fortinet 4.2.257.0 2011.05.17 -
GData 22 2011.05.17 -
Ikarus T3.1.1.103.0 2011.05.17 -
Jiangmin 13.0.900 2011.05.16 -
K7AntiVirus 9.103.4648 2011.05.14 -
Kaspersky 9.0.0.837 2011.05.16 -
McAfee 5.400.0.1158 2011.05.17 -
McAfee-GW-Edition 2010.1D 2011.05.16 -
Microsoft 1.6802 2011.05.16 -
NOD32 6127 2011.05.17 -
Norman 6.07.07 2011.05.15 -
nProtect 2011-05-16.01 2011.05.16 -
Panda 10.0.3.5 2011.05.16 -
Prevx 3.0 2011.05.17 -
Rising 23.58.00.06 2011.05.16 -
Sophos 4.65.0 2011.05.17 -
SUPERAntiSpyware 4.40.0.1006 2011.05.17 -
Symantec 20101.3.2.89 2011.05.17 -
TheHacker 6.7.0.1.198 2011.05.16 -
TrendMicro 9.200.0.1012 2011.05.16 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.17 -
VBA32 3.12.16.0 2011.05.12 -
VIPRE 9301 2011.05.17 -
ViRobot 2011.5.16.4461 2011.05.16 -
VirusBuster 13.6.357.0 2011.05.16 -
Additional information
MD5 : 025aca15680c4b4c5db4da87293d6107
SHA1 : e99ba7b2183a0ab91a45eb8e27b1afa016e5b409
SHA256: 81e633bbb8b93c0644d2cf74fe1ce9cc2dbcb89c5cb3ba522d331ea3f3c8a2e2


For c:\windows\system32\drivers\vim.sys:

Antivirus Version Last Update Result
AhnLab-V3 2011.05.17.00 2011.05.16 -
AntiVir 7.11.8.37 2011.05.16 -
Antiy-AVL 2.0.3.7 2011.05.17 -
Avast 4.8.1351.0 2011.05.16 -
Avast5 5.0.677.0 2011.05.16 -
AVG 10.0.0.1190 2011.05.16 -
BitDefender 7.2 2011.05.17 -
CAT-QuickHeal 11.00 2011.05.16 -
ClamAV 0.97.0.0 2011.05.17 -
Commtouch 5.3.2.6 2011.05.16 -
Comodo 8727 2011.05.17 -
DrWeb 5.0.2.03300 2011.05.17 -
Emsisoft 5.1.0.5 2011.05.16 -
eSafe 7.0.17.0 2011.05.15 -
eTrust-Vet 36.1.8330 2011.05.16 -
F-Prot 4.6.2.117 2011.05.16 -
F-Secure 9.0.16440.0 2011.05.17 -
Fortinet 4.2.257.0 2011.05.17 -
GData 22 2011.05.17 -
Ikarus T3.1.1.103.0 2011.05.17 -
Jiangmin 13.0.900 2011.05.16 -
K7AntiVirus 9.103.4648 2011.05.14 -
Kaspersky 9.0.0.837 2011.05.16 -
McAfee 5.400.0.1158 2011.05.17 -
McAfee-GW-Edition 2010.1D 2011.05.16 -
Microsoft 1.6802 2011.05.16 -
NOD32 6127 2011.05.17 -
Norman 6.07.07 2011.05.15 -
nProtect 2011-05-16.01 2011.05.16 -
Panda 10.0.3.5 2011.05.16 -
PCTools 7.0.3.5 2011.05.17 -
Prevx 3.0 2011.05.17 -
Rising 23.58.00.06 2011.05.16 -
Sophos 4.65.0 2011.05.17 -
SUPERAntiSpyware 4.40.0.1006 2011.05.17 -
Symantec 20101.3.2.89 2011.05.17 -
TheHacker 6.7.0.1.198 2011.05.16 -
TrendMicro 9.200.0.1012 2011.05.16 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.17 -
VBA32 3.12.16.0 2011.05.12 -
VIPRE 9301 2011.05.17 -
ViRobot 2011.5.16.4461 2011.05.16 -
VirusBuster 13.6.357.0 2011.05.16 -
Additional information
MD5 : 77ebf3e9386daa51551af429052d88d0
SHA1 : bd4f3e24f531e974fbaac43381120b42e804fbaf
SHA256: 94c3294bb9e14b07448734ae65b37801d3ff15bec987d182a929a017fef7b276

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:53 AM

Posted 17 May 2011 - 02:50 AM

No worries about forgetting.

Please tell me if this is or have been a company computer. I see some restrictions set.

You might have difficulty rerunning the tools or finding the log they make if you use Firefox. To overcome that please do the following:
Run Firefox.
Under Tools menu select Options.
under General tab in Downloads section check the following options:
Show the Downloads window when downloading a file.
Always ask me where to save files.


So if you download a tool you can save it to your desktop instead of the default downloads folder.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :otl
      DRV - [2008/11/15 13:39:31 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vim.sys -- (vim)
      [2011/05/15 18:00:00 | 000,000,268 | -H-- | M] () -- C:\WINDOWS\tasks\A9CB56979184CD9F.job
      [2011/05/15 17:47:49 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\Juqvwqah.job
      [2011/05/15 17:47:47 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\IAWJUWDG.job
      [2011/05/15 17:47:47 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\system32\urqPhecD.dll
      [2008/04/09 07:21:00 | 000,000,534 | -HS- | C] () -- C:\WINDOWS\System32\kjoibtwk.ini
      [2008/04/07 07:33:01 | 000,000,414 | -HS- | C] () -- C:\WINDOWS\System32\dyxogtpr.ini
      [2008/04/05 23:55:00 | 000,000,654 | -HS- | C] () -- C:\WINDOWS\System32\putrcssh.ini
      [2008/04/05 03:27:03 | 000,000,474 | -HS- | C] () -- C:\WINDOWS\System32\xyiombul.ini
      [2008/04/04 09:57:54 | 000,000,354 | -HS- | C] () -- C:\WINDOWS\System32\gfpirlic.ini
      [2008/04/04 06:49:37 | 000,000,294 | -HS- | C] () -- C:\WINDOWS\System32\mmhlsqji.ini
      [2008/03/24 01:58:49 | 000,000,220 | -HS- | C] () -- C:\WINDOWS\System32\ss.drv
      O2 - BHO: (no name) - {18BC7C93-E6D3-4999-AD25-A6844FD6A524} - No CLSID value found.
      O2 - BHO: (no name) - {1B598006-49BB-48AF-B638-062B54927D02} - No CLSID value found.
      O2 - BHO: (no name) - {46D8185D-BA05-4100-8161-788613DE8FC2} - No CLSID value found.
      O2 - BHO: (no name) - {5AC255BE-B15A-41CC-9C07-56377D64FB4A} - No CLSID value found.
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O2 - BHO: (no name) - {6C1AE883-3A9C-4F3E-B9B0-328649DAA21E} - No CLSID value found.
      O2 - BHO: (no name) - {8A25D15B-16BB-4D42-9EE0-EF38D4D41518} - No CLSID value found.
      O2 - BHO: (no name) - {8AF06CDE-7D73-4EE3-B46D-88CD72000CFB} - No CLSID value found.
      O2 - BHO: (no name) - {96DC4D46-815A-4E7D-B51D-E87FB35B3EC9} - No CLSID value found.
      O2 - BHO: (no name) - {9789CE7B-CFE6-4B4A-B59B-8348ED42FBCB} - No CLSID value found.
      O2 - BHO: (no name) - {9DC1A021-465F-4E35-914D-9F48D15FE61F} - No CLSID value found.
      O2 - BHO: (no name) - {AAFD5369-31D1-43AA-811F-B3817BE24FA5} - No CLSID value found.
      O2 - BHO: (no name) - {C9C557EF-E3D7-4D19-9353-63E1B6BDF84B} - No CLSID value found.
      O2 - BHO: (no name) - {dc038be6-df19-4945-bc65-858f3f393bce} - No CLSID value found.
      O2 - BHO: (no name) - {F63472A5-F2CF-4652-868D-380B8E33AB5B} - No CLSID value found.
      O3 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
      O4 - HKLM..\Run: [] File not found
      O4 - Startup: C:\Documents and Settings\Dad_2\Start Menu\Programs\Startup\LimeWire On Startup.lnk = File not found
      O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab (Reg Error: Key error.)
      O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (Reg Error: Key error.)
      O20 - Winlogon\Notify\urqPhecD: DllName - urqPhecD.dll - File not found
      :reg
      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
      "Debugger"=-
      :files
      dir /a/s c:\hosts /c
      
      [emptytemp]
      [Reboot]
      
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.

Edited by farbar, 17 May 2011 - 03:09 AM.


#9 pikmin

pikmin
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 17 May 2011 - 11:15 PM

No this computer has never been and is not a company computer. I am unsure of what my computer has just gone through, is it possible to explain if the computer is virus free or clear of other items, now that I have ran these programs? Thanks.

Here is the results:

All processes killed
========== OTL ==========
Service vim stopped successfully!
Service vim deleted successfully!
C:\WINDOWS\system32\drivers\vim.sys moved successfully.
C:\WINDOWS\tasks\A9CB56979184CD9F.job moved successfully.
File move failed. C:\WINDOWS\tasks\Juqvwqah.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\tasks\IAWJUWDG.job scheduled to be moved on reboot.
File C:\WINDOWS\system32\urqPhecD.dll not found.
C:\WINDOWS\system32\kjoibtwk.ini moved successfully.
C:\WINDOWS\system32\dyxogtpr.ini moved successfully.
C:\WINDOWS\system32\putrcssh.ini moved successfully.
C:\WINDOWS\system32\xyiombul.ini moved successfully.
C:\WINDOWS\system32\gfpirlic.ini moved successfully.
C:\WINDOWS\system32\mmhlsqji.ini moved successfully.
C:\WINDOWS\system32\ss.drv moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18BC7C93-E6D3-4999-AD25-A6844FD6A524}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18BC7C93-E6D3-4999-AD25-A6844FD6A524}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B598006-49BB-48AF-B638-062B54927D02}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B598006-49BB-48AF-B638-062B54927D02}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46D8185D-BA05-4100-8161-788613DE8FC2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46D8185D-BA05-4100-8161-788613DE8FC2}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5AC255BE-B15A-41CC-9C07-56377D64FB4A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AC255BE-B15A-41CC-9C07-56377D64FB4A}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C1AE883-3A9C-4F3E-B9B0-328649DAA21E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C1AE883-3A9C-4F3E-B9B0-328649DAA21E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A25D15B-16BB-4D42-9EE0-EF38D4D41518}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A25D15B-16BB-4D42-9EE0-EF38D4D41518}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AF06CDE-7D73-4EE3-B46D-88CD72000CFB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AF06CDE-7D73-4EE3-B46D-88CD72000CFB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96DC4D46-815A-4E7D-B51D-E87FB35B3EC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96DC4D46-815A-4E7D-B51D-E87FB35B3EC9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9789CE7B-CFE6-4B4A-B59B-8348ED42FBCB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9789CE7B-CFE6-4B4A-B59B-8348ED42FBCB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9DC1A021-465F-4E35-914D-9F48D15FE61F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DC1A021-465F-4E35-914D-9F48D15FE61F}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAFD5369-31D1-43AA-811F-B3817BE24FA5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AAFD5369-31D1-43AA-811F-B3817BE24FA5}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C557EF-E3D7-4D19-9353-63E1B6BDF84B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9C557EF-E3D7-4D19-9353-63E1B6BDF84B}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dc038be6-df19-4945-bc65-858f3f393bce}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dc038be6-df19-4945-bc65-858f3f393bce}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F63472A5-F2CF-4652-868D-380B8E33AB5B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F63472A5-F2CF-4652-868D-380B8E33AB5B}\ not found.
Registry value HKEY_USERS\S-1-5-21-1177238915-299502267-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\Documents and Settings\Dad_2\Start Menu\Programs\Startup\LimeWire On Startup.lnk moved successfully.
Starting removal of ActiveX control {5D6F45B3-9043-443D-A792-115447494D24}
C:\WINDOWS\Downloaded Program Files\GAME_UNO1.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5D6F45B3-9043-443D-A792-115447494D24}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D6F45B3-9043-443D-A792-115447494D24}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5D6F45B3-9043-443D-A792-115447494D24}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D6F45B3-9043-443D-A792-115447494D24}\ not found.
Starting removal of ActiveX control {C3F79A2B-B9B4-4A66-B012-3EE46475B072}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqPhecD\ deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\Debugger deleted successfully.
========== FILES ==========
< dir /a/s c:\hosts /c >
Volume in drive C has no label.
Volume Serial Number is C03A-5CD0
C:\Documents and Settings\david\Desktop\Bleeping Computer\cmd.bat deleted successfully.
C:\Documents and Settings\david\Desktop\Bleeping Computer\cmd.txt deleted successfully.
File\Folder [emptytemp] not found.
File\Folder [Reboot] not found.

OTL by OldTimer - Version 3.2.22.3 log created on 05182011_000912

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\tasks\Juqvwqah.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\tasks\IAWJUWDG.job scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Edited by pikmin, 17 May 2011 - 11:16 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:53 AM

Posted 18 May 2011 - 03:25 AM

is it possible to explain if the computer is virus free or clear of other items, now that I have ran these programs?

Yes that is possible and we are doing it and I will tell you when we are done.:)

  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :files
      C:\WINDOWS\tasks\Juqvwqah.job
      C:\WINDOWS\tasks\IAWJUWDG.job
      C:\Documents and Settings\All Users\Application Data\511e7ea
      dir /a c:\*.exe /c
      :otl
      [2011/04/06 21:04:18 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~19849012r
      [2011/04/06 21:04:18 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~19849012
      [2011/04/06 21:04:13 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\19849012
      [2011/04/06 20:24:17 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\sprio600O.dll
      [2011/04/06 20:24:17 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\ipxpromn9.dll
      [2011/04/06 20:07:44 | 000,016,448 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
      [2011/03/27 18:52:30 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756r
      [2011/03/27 18:52:30 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756
      [2011/03/27 18:52:05 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18472756
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
      O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
      O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
      O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
      O7 - HKU\S-1-5-21-1177238915-299502267-682003330-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
      :reg
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
      "C:\Documents and Settings\All Users\Application Data\511e7ea\LP511e.exe"=-
      :commands
      [resethosts]
      [emptytemp]
      
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.
  • Please tell me if Google search is still getting redirected.

Edited by farbar, 18 May 2011 - 06:07 AM.


#11 pikmin

pikmin
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 18 May 2011 - 10:36 PM

Yes I am still being redirected from google and i really appreciate the help that i am receiving. Thanks.

All processes killed
========== FILES ==========
File move failed. C:\WINDOWS\tasks\Juqvwqah.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\tasks\IAWJUWDG.job scheduled to be moved on reboot.
C:\Documents and Settings\All Users\Application Data\511e7ea\Quarantine Items folder moved successfully.
C:\Documents and Settings\All Users\Application Data\511e7ea\LPCGSys folder moved successfully.
C:\Documents and Settings\All Users\Application Data\511e7ea folder moved successfully.
< dir /a c:\*.exe /c >
Volume in drive C has no label.
Volume Serial Number is C03A-5CD0
Directory of c:\
C:\Documents and Settings\david\Desktop\Bleeping Computer\cmd.bat deleted successfully.
C:\Documents and Settings\david\Desktop\Bleeping Computer\cmd.txt deleted successfully.
========== OTL ==========
C:\Documents and Settings\All Users\Application Data\~19849012r moved successfully.
C:\Documents and Settings\All Users\Application Data\~19849012 moved successfully.
C:\Documents and Settings\All Users\Application Data\19849012 moved successfully.
File move failed. C:\WINDOWS\system32\sprio600O.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ipxpromn9.dll scheduled to be moved on reboot.
C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84 moved successfully.
C:\Documents and Settings\All Users\Application Data\~18472756r moved successfully.
C:\Documents and Settings\All Users\Application Data\~18472756 moved successfully.
C:\Documents and Settings\All Users\Application Data\18472756 moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions\ not found.
Registry key HKEY_USERS\S-1-5-21-1177238915-299502267-682003330-1003\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\All Users\Application Data\511e7ea\LP511e.exe deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Dad_2
->Temp folder emptied: 3033763289 bytes
->Temporary Internet Files folder emptied: 43894749 bytes
->Java cache emptied: 18769 bytes
->FireFox cache emptied: 49724718 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 21126 bytes

User: david
->Temp folder emptied: 340955 bytes
->Temporary Internet Files folder emptied: 708814 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 51385222 bytes
->Google Chrome cache emptied: 6019786 bytes
->Flash cache emptied: 5628 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 8026900 bytes

User: julia
->Temp folder emptied: 886194216 bytes
->Temporary Internet Files folder emptied: 1228718363 bytes
->Java cache emptied: 35392 bytes
->FireFox cache emptied: 227224514 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 42036 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 770537 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138618 bytes
%systemroot%\System32 .tmp files removed: 2932753 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 91179480 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34498 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5,371.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 05182011_232153

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\tasks\Juqvwqah.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\tasks\IAWJUWDG.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\sprio600O.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ipxpromn9.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:53 AM

Posted 19 May 2011 - 05:22 AM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#13 pikmin

pikmin
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 19 May 2011 - 10:32 PM

I competed the procedure but I just want to note that I have the unregistered Malwarebytes Antimalware and I am unsure of how to disable it, I'm not sure if it affected the scan.

ComboFix 11-05-18.04 - david 19/05/2011 23:17:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.695 [GMT -4:00]
Running from: c:\documents and settings\david\Desktop\Bleeping Computer\ComboFix.exe
FW: COMODO Firewall Pro *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dad_2\Application Data\A05162C0DAFDF175B596E0B088F3046A
c:\documents and settings\Dad_2\Application Data\A05162C0DAFDF175B596E0B088F3046A\enemies-names.txt
c:\documents and settings\Dad_2\Application Data\A05162C0DAFDF175B596E0B088F3046A\local.ini
c:\documents and settings\Dad_2\Application Data\A05162C0DAFDF175B596E0B088F3046A\lsrslt.ini
c:\documents and settings\Dad_2\Application Data\Adobe\plugs
c:\documents and settings\Dad_2\Application Data\Adobe\shed
c:\documents and settings\david\1
c:\windows\system32\skinboxer43.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
.
.
2011-05-18 04:09 . 2011-05-18 04:09 -------- d-----w- C:\_OTL
2011-05-18 03:57 . 2011-05-18 03:57 -------- d-----w- c:\program files\CCleaner
2011-05-18 03:17 . 2011-05-18 04:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-08 21:14 . 2011-05-08 21:14 -------- d-----w- c:\windows\Sun
2011-05-08 18:53 . 2011-02-18 20:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-08 18:53 . 2011-02-18 20:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-08 18:52 . 2011-05-08 18:52 -------- d-----w- c:\program files\Bonjour
2011-05-06 02:05 . 2011-05-06 02:05 -------- d--h--w- c:\windows\PIF
2011-05-03 02:33 . 2011-05-03 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-04-21 01:06 . 2011-04-21 01:06 -------- d-----w- c:\documents and settings\julia\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-05 17:39 . 2011-03-05 17:39 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-05-01 19:56 . 2011-03-27 18:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"57176:TCP"= 57176:TCP:Pando Media Booster
"57176:UDP"= 57176:UDP:Pando Media Booster
.
R2 Secunia PSI Agent;Secunia PSI Agent;c:\documents and settings\Dad_2\My Documents\Downloads\PSI\psia.exe [10/01/2011 10:24 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\documents and settings\Dad_2\My Documents\Downloads\PSI\sua.exe [10/01/2011 10:24 AM 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 4:30 AM 15544]
S3 Normandy;Normandy SR2; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\david\Application Data\Mozilla\Firefox\Profiles\ksgtfrfs.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.swagbucks.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-c03a5c7f - c:\windows\system32\hsscrtup.dll
MSConfigStartUp-JmpyxPEOWqPO - c:\documents and settings\All Users\Application Data\JmpyxPEOWqPO.exe
MSConfigStartUp-manager wipe - c:\docume~1\david\APPLIC~1\CHINPL~1\each proc.exe
MSConfigStartUp-SEEK FLAG DALE HIDE - c:\documents and settings\All Users\Application Data\Dent pile seek flag\ante global.exe
MSConfigStartUp-Windows live Messenger - msn.com
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-19 23:28:31
ComboFix-quarantined-files.txt 2011-05-20 03:28
.
Pre-Run: 9,271,840,768 bytes free
Post-Run: 9,964,093,440 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 704E8EE41818ADAEF201663E306BE32E

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:53 AM

Posted 20 May 2011 - 04:59 AM

We done. :thumbup2:

The main infection is gone. Let's take care of the rest.

Open notepad and copy/paste the text in the code box below into it:

http://www.bleepingcomputer.com/forums/topic394908.html/page__pid__2255379#entry2255379

Collect::
C:\WINDOWS\tasks\Juqvwqah.job
C:\WINDOWS\tasks\IAWJUWDG.job
C:\WINDOWS\system32\sprio600O.dll
C:\WINDOWS\system32\ipxpromn9.dll
Save this as CFScript.txt


Posted Image


Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

**Important Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

#15 pikmin

pikmin
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 21 May 2011 - 11:19 PM

Hi farbar I have followed what you instructed but unfortunately my internet browsers, Firefox and Internet Explorer seems to have been affected and cannot open. I could not send you this reply through the infected computer so I used a USB to bring the log to another computer. Also, when I try to open folders, like the one that contains the log, a window pops up which says "Folder Size for Windows: The feature you are trying to use is on a network resource that is unavailable..." I think the reason may be because I forgot to disable the firewall before I ran ComboFix,but other than that I am not sure what else went right or wrong. :wacko: The report that I am suppose to copy and paste is too long to post and too big to attach as a file. The file's size is 998KB. I am unsure of what to do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users