Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Popups, Google Redirect, Files Hidden


  • This topic is locked This topic is locked
40 replies to this topic

#1 kelsey m

kelsey m

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 08 June 2011 - 07:11 AM

Hello,

I took my main computer in for some minor repairs and began using my 6 year old laptop which had sat unused for about 3 years. Naturally the computer was very out of date, and in the process of updating (I believe it was a Java update in particular) I contracted the Windows XP Recovery Virus. I finally did a system restore to before the Java update, which seemed to fix the major problems. But I was stuck with Google redirects, and occasional IE popups, as well as hidden files. I tried to run unhide.exe, but when it was partly done, the computer restarted (I'm not sure if this was due to a Windows update, or something else).

Now the situation is even worse. The occasional IE popups have become constant. As soon as Windows loads, IE pops up, but then seems to crash or is closed by something. This results in IE constantly loading and crashing (just to be clear, I never open IE in the first place). It's like a blinking browser constantly on my screen, which makes it nearly impossible to do anything. I'm in safe mode right now, where there is only one popup on startup, but the redirect problem persists.

I've been trying for the past few days to generate the logs needed to post here. I managed to run GMER in safe mode, but DDS (in normal mode) takes several hours, instead of 3 minutes, and freezes at what appears to be about 3/4 of the way done. Then the whole computer must be restarted.

I'm at my wit's end, so any advice would be greatly appreciated. The GMER log follows:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-08 21:28:51
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2060AT_PL rev.008300A1
Running: gmer.exe; Driver: C:\DOCUME~1\Kelse\LOCALS~1\Temp\uxtdqpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys F772EBD0 4 Bytes [36, 9A, 4D, 80]
INITc VolSnap.sys F772EBF8 4 Bytes [94, 87, 4E, 80] {XCHG ESP, EAX; XCHG [ESI-0x80], ECX}
INITc VolSnap.sys F772EC20 4 Bytes [A0, C1, 4D, 80]
INITc VolSnap.sys F772EC48 4 Bytes [B0, C8, 4D, 80]
INITc VolSnap.sys F772EC70 4 Bytes [09, BF, 4D, 80]
INITc ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E35203E C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E352003 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E352079 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E20176A C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E35223B C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] WININET.dll!HttpAddRequestHeadersA 771C40FA 7 Bytes JMP 00BB6B70
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] WININET.dll!HttpAddRequestHeadersW 771CEF2C 5 Bytes JMP 00BB6D70
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] WS2_32.dll!connect 71AB406A 5 Bytes JMP 004F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] WS2_32.dll!send 71AB428A 5 Bytes JMP 0051000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00E6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0050000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Cdfs \Cdfs F6A8A400

---- Threads - GMER 1.0.15 ----

Thread System [4:112] 84AE0E7A
Thread System [4:116] 84AE3008

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFF 0xA1 0x1B 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x36 0x4A 0xA1 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEE 0xA4 0x9E 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x94 0x2E 0xBE 0x31 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xEE 0xA4 0x9E 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFF 0xA1 0x1B 0xF5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x36 0x4A 0xA1 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEE 0xA4 0x9E 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x94 0x2E 0xBE 0x31 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xEE 0xA4 0x9E 0xC3 ...

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 13 June 2011 - 01:45 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 kelsey m

kelsey m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 13 June 2011 - 08:05 PM

Hi Gringo,
Thanks for your help. I've been trying to run DDS, but I've been having the same problem described in my original post, despite redownloading from the links you provided. It will appear to be partially finished and then stall, without ever generating any logs. Any suggestions?
Thanks,
Kelsey

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 13 June 2011 - 08:29 PM

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 kelsey m

kelsey m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 13 June 2011 - 09:41 PM

That seemed to work better.

Here's the OTL log:
OTL logfile created on: 6/14/2011 9:56:49 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Kelse\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.48 Mb Total Physical Memory | 569.94 Mb Available Physical Memory | 63.72% Memory free
2.12 Gb Paging File | 1.89 Gb Available in Paging File | 89.42% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.29 Gb Total Space | 9.91 Gb Free Space | 20.53% Space Free | Partition Type: NTFS
Drive D: | 7.58 Gb Total Space | 0.85 Gb Free Space | 11.24% Space Free | Partition Type: FAT32

Computer Name: KELSEY | User Name: Kelse | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Kelse\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe (Autodesk)
PRC - C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe (Hewlett-Packard )
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\MATLAB71\bin\win32\MATLAB.exe (The MathWorks Inc.)
PRC - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe ()
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Kelse\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (Autodesk Data Management Job Dispatch) -- C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe (Autodesk)
SRV - (Autodesk EDM Server) -- C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe (Autodesk)
SRV - (matlabserver) -- C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe ()


========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )
DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camc6hal.sys (Conexant Systems Inc.)
DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camc6aud.sys (Conexant Systems Inc.)
DRV - (HSFHWATI) -- C:\WINDOWS\system32\drivers\HSFHWATI.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1601483067-598650711-514909351-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1601483067-598650711-514909351-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1601483067-598650711-514909351-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1601483067-598650711-514909351-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1601483067-598650711-514909351-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-1601483067-598650711-514909351-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1601483067-598650711-514909351-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..keyword.URL: "www.google.com"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/05 13:49:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/07 20:26:37 | 000,000,000 | ---D | M]

[2011/06/05 13:54:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kelse\Application Data\Mozilla\Extensions
[2011/06/14 21:51:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kelse\Application Data\Mozilla\Firefox\Profiles\6kzeveey.default\extensions
[2011/06/05 17:31:51 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Kelse\Application Data\Mozilla\Firefox\Profiles\6kzeveey.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/06/14 21:51:21 | 000,000,000 | ---D | M] (Springpad Extension) -- C:\Documents and Settings\Kelse\Application Data\Mozilla\Firefox\Profiles\6kzeveey.default\extensions\ext@sprng.me
[2008/06/18 16:06:32 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Documents and Settings\Kelse\Application Data\Mozilla\Firefox\Profiles\6kzeveey.default\extensions\moveplayer@movenetworks.com
[2011/06/14 21:51:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kelse\Application Data\Mozilla\Firefox\Profiles\6kzeveey.default\extensions\staged
[2011/06/06 11:41:13 | 000,002,264 | ---- | M] () -- C:\Documents and Settings\Kelse\Application Data\Mozilla\Firefox\Profiles\6kzeveey.default\searchplugins\bing-zugo.xml
[2011/06/07 20:27:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/07 00:34:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/06/07 20:27:08 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\KELSE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\6KZEVEEY.DEFAULT\EXTENSIONS\{C1970C0D-DBE6-4D91-804F-C9C0DE643A57}.XPI
[2011/06/07 20:25:27 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/03/03 22:19:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/06/07 20:25:17 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/03/28 01:48:45 | 000,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml.old

O1 HOSTS File: ([2004/08/04 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar5.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar5.dll (Google Inc.)
O3 - HKU\S-1-5-21-1601483067-598650711-514909351-1006\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar5.dll (Google Inc.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [hpqSRMon] File not found
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-1601483067-598650711-514909351-1006..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader(2).lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch(2).lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop(2).ini ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start(2).lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1601483067-598650711-514909351-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1601483067-598650711-514909351-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Use as &Display Picture - C:\Program Files\IEDP2\IEDP.htm ()
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (StagingUI Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab (Minesweeper Flags Class)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab (MSN Games Buddy Invite)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab (ZonePAChat Object)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/FacebookPhotoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174145745859 (MUWebControl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/bingame/luxr/default/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab (MSN Games Hearts)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (MSN Games Game Communicator)
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab (Solitaire Showdown Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Amber Migration.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Amber Migration.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/04 13:40:39 | 000,000,000 | ---D | M] - C:\autodesk -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 14:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{5bace0be-a1d3-11dc-9957-0016367f3a93}\Shell - "" = AutoRun
O33 - MountPoints2\{5bace0be-a1d3-11dc-9957-0016367f3a93}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5bace0be-a1d3-11dc-9957-0016367f3a93}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/14 22:14:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/06/14 21:50:36 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kelse\Desktop\OTL.exe
[2011/06/14 14:03:43 | 000,607,310 | R--- | C] (Swearware) -- C:\Documents and Settings\Kelse\Desktop\dds.com
[2011/06/08 09:15:56 | 000,607,310 | ---- | C] (Swearware) -- C:\Documents and Settings\Kelse\Desktop\dds.scr
[2011/06/07 21:56:01 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/07 20:26:38 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/06/07 20:26:36 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/06/07 20:26:35 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/07 20:26:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/07 20:26:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/07 19:08:36 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/07 19:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxit Reader 5.0
[2011/06/07 19:04:40 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2011/06/07 14:56:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/07 14:56:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Kelse\Start Menu\Programs\Administrative Tools
[2011/06/07 14:42:40 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/06/07 14:40:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2011/06/07 14:37:34 | 000,000,000 | ---D | C] -- C:\736f1d4ba1d142c3f9c3b14b
[2011/06/07 14:31:55 | 000,000,000 | ---D | C] -- C:\5ccfcd3aa8be9264271bd47c00
[2011/06/07 14:26:32 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/06/07 14:26:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/06/07 00:55:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kelse\Application Data\Malwarebytes
[2011/06/07 00:52:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/07 00:52:52 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/07 00:52:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/06/07 00:52:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/07 00:41:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kelse\Application Data\HPAppData
[2011/06/07 00:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\muvee Technologies
[2011/06/07 00:34:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\muvee Technologies
[2011/06/07 00:32:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Autodesk
[2011/06/07 00:31:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Kelse\Recent
[2011/06/06 12:04:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/06/06 11:39:36 | 000,000,000 | ---D | C] -- C:\Program Files\JDownloader
[2011/06/06 10:59:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/06/06 10:59:38 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/06/06 10:53:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kelse\My Documents\Downloads
[2011/06/04 17:15:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2011/06/04 17:14:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kelse\Local Settings\Application Data\Microsoft Corporation
[2011/06/04 17:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2011/06/04 16:33:40 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[69 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[17 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[12 C:\Documents and Settings\Kelse\My Documents\*.tmp files -> C:\Documents and Settings\Kelse\My Documents\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/14 21:56:56 | 000,054,156 | ---- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/06/14 21:56:41 | 000,000,297 | ---- | M] () -- C:\hpqp.ini
[2011/06/14 21:56:32 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2011/06/14 21:54:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/14 21:53:34 | 938,004,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/14 21:50:37 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kelse\Desktop\OTL.exe
[2011/06/14 14:03:55 | 000,607,310 | R--- | M] (Swearware) -- C:\Documents and Settings\Kelse\Desktop\dds.com
[2011/06/14 14:03:48 | 000,607,310 | ---- | M] (Swearware) -- C:\Documents and Settings\Kelse\Desktop\dds.scr
[2011/06/14 07:52:49 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/09 08:40:08 | 000,606,105 | ---- | M] () -- C:\Documents and Settings\Kelse\Desktop\unhide(1).exe
[2011/06/08 16:17:23 | 000,001,555 | ---- | M] () -- C:\Documents and Settings\Kelse\Desktop\Command Prompt (2).lnk
[2011/06/08 16:07:06 | 000,000,687 | ---- | M] () -- C:\Documents and Settings\Kelse\Desktop\Summary.rtf
[2011/06/08 09:25:06 | 000,000,332 | ---- | M] () -- C:\Documents and Settings\Kelse\defogger_reenable
[2011/06/08 09:17:44 | 000,293,977 | ---- | M] () -- C:\Documents and Settings\Kelse\Desktop\gmer.zip
[2011/06/08 09:14:39 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Kelse\Desktop\Defogger.exe
[2011/06/07 21:03:46 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/06/07 20:25:01 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/07 20:25:00 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/07 20:24:58 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/06/07 20:24:57 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/07 20:24:48 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/06/07 19:05:33 | 000,000,791 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader 5.0.lnk
[2011/06/07 17:58:23 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/06/07 15:16:21 | 000,489,776 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/07 15:16:21 | 000,090,302 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/07 13:56:22 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/06/07 13:56:22 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/06/07 13:55:54 | 000,374,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/07 11:26:42 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Kelse\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/07 11:10:43 | 000,004,507 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/07 11:07:24 | 000,000,031 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2011/06/07 10:34:15 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\crihpdip.sys
[2011/06/06 22:52:34 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16244516r
[2011/06/06 22:52:34 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16244516
[2011/06/06 19:15:54 | 000,000,384 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\16244516
[2011/06/06 11:43:35 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Kelse\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/06/06 10:57:38 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\Kelse\My Documents\My Sharing Folders.lnk
[2011/06/05 20:24:04 | 003,881,123 | ---- | M] () -- C:\Documents and Settings\Kelse\Desktop\cxa3029a.rar
[2011/06/05 13:49:28 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Kelse\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/05 13:49:28 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Kelse\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox(2).lnk
[2011/06/05 13:49:25 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/06/04 17:03:00 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2011/06/04 16:42:33 | 000,000,268 | ---- | M] () -- C:\sqmdata01.sqm
[2011/06/04 16:42:32 | 000,000,244 | ---- | M] () -- C:\sqmnoopt00.sqm
[2011/06/04 16:33:40 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/29 12:32:00 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Kelse\Desktop\gmer.exe
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[69 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[17 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[12 C:\Documents and Settings\Kelse\My Documents\*.tmp files -> C:\Documents and Settings\Kelse\My Documents\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/14 21:53:34 | 938,004,480 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/09 08:40:06 | 000,606,105 | ---- | C] () -- C:\Documents and Settings\Kelse\Desktop\unhide(1).exe
[2011/06/08 16:17:23 | 000,001,555 | ---- | C] () -- C:\Documents and Settings\Kelse\Desktop\Command Prompt (2).lnk
[2011/06/08 16:07:05 | 000,000,687 | ---- | C] () -- C:\Documents and Settings\Kelse\Desktop\Summary.rtf
[2011/06/08 09:18:18 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Kelse\Desktop\gmer.exe
[2011/06/08 09:17:42 | 000,293,977 | ---- | C] () -- C:\Documents and Settings\Kelse\Desktop\gmer.zip
[2011/06/08 09:15:09 | 000,000,332 | ---- | C] () -- C:\Documents and Settings\Kelse\defogger_reenable
[2011/06/08 09:14:38 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Kelse\Desktop\Defogger.exe
[2011/06/07 23:43:21 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Kelse\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/06/07 23:43:21 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Kelse\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/06/07 19:05:33 | 000,000,791 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader 5.0.lnk
[2011/06/07 13:56:22 | 000,016,832 | ---- | C] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/06/07 13:56:21 | 000,023,392 | ---- | C] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/06/07 11:26:42 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Kelse\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/07 11:26:42 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Kelse\Start Menu\Programs\Windows Media Player.lnk
[2011/06/07 10:34:15 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\crihpdip.sys
[2011/06/06 19:19:01 | 003,881,123 | ---- | C] () -- C:\Documents and Settings\Kelse\Desktop\cxa3029a.rar
[2011/06/06 19:13:04 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~16244516r
[2011/06/06 19:13:04 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~16244516
[2011/06/06 19:12:32 | 000,000,384 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\16244516
[2011/06/06 11:40:34 | 000,001,623 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\JDownloader.lnk
[2011/06/06 11:40:34 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\JDownloader Uninstaller.lnk
[2011/06/06 11:40:34 | 000,001,581 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\JDownloader Update.lnk
[2011/06/05 13:49:22 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/06/04 17:03:00 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2011/06/04 17:02:59 | 000,001,868 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows 7 Upgrade Advisor.lnk
[2010/02/10 15:45:14 | 000,000,157 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2008/10/04 13:26:25 | 000,165,302 | ---- | C] () -- C:\WINDOWS\hpoins21.dat
[2008/10/04 13:26:24 | 000,007,262 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat
[2008/06/30 20:51:38 | 000,000,000 | ---- | C] () -- C:\Program Files\temp01
[2008/03/28 05:11:26 | 000,000,096 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2008/03/28 05:11:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2008/03/26 14:12:21 | 000,622,135 | ---- | C] () -- C:\Program Files\heartlight_deluxe.zip
[2007/12/31 04:09:50 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/04 00:05:14 | 000,001,560 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/09/03 19:37:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/12/31 11:38:26 | 000,042,483 | ---- | C] () -- C:\WINDOWS\ICCCODES.DAT
[2006/12/31 11:38:26 | 000,027,648 | ---- | C] () -- C:\WINDOWS\PFPICK.DLL
[2006/11/13 08:20:00 | 000,078,144 | ---- | C] () -- C:\WINDOWS\hpfins05.dat.temp
[2006/11/13 08:19:59 | 000,001,395 | ---- | C] () -- C:\WINDOWS\hpfmdl05.dat.temp
[2006/11/11 11:42:23 | 000,078,998 | ---- | C] () -- C:\WINDOWS\hpfins05.dat
[2006/11/11 11:42:23 | 000,001,395 | ---- | C] () -- C:\WINDOWS\hpfmdl05.dat
[2006/10/30 13:19:58 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Kelse\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/20 10:19:46 | 000,000,176 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2006/10/20 10:19:40 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2006/10/20 09:03:08 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/18 14:44:49 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Kelse\Local Settings\Application Data\fusioncache.dat
[2006/04/20 01:53:25 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/04/20 01:53:25 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/04/20 01:40:16 | 000,087,275 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
[2006/04/20 01:31:35 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/04/20 01:27:59 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/04/20 01:22:23 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/12/02 06:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/06/11 03:59:16 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/04/27 14:38:00 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2004/08/07 09:16:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/07 09:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 09:10:30 | 000,489,776 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/07 09:10:30 | 000,090,302 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/07 09:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 09:02:54 | 000,374,464 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/07 08:57:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/07 08:54:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 04:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/05/28 04:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 04:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AC4C6FB4
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38849DE5
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A7A4D14E
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9FE30AB2
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35759C73
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CEE4A457
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F96D8E6
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:81E7CF6A
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:30C46519

< End of report >

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 13 June 2011 - 10:04 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 kelsey m

kelsey m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 15 June 2011 - 03:01 PM

Hi Gringo,

I've been attempting to run Combofix. However, it does not seem to run like I would expect from this guide. The UI looks completely different (green writing on black background). The scan is relatively quick and does not restart my computer. I'm pretty sure I saw it say "scan completed" or something to that effect (it's hard to tell behind the IE popups). The only new document I find on my desktop is called catchme.log and all it says is:

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully

That's it. Is that the Combofix log? I have observed no change in my computer's behavior. Please let me know if I am doing something wrong with the scan. Thanks!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 15 June 2011 - 04:06 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 kelsey m

kelsey m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 15 June 2011 - 06:23 PM

I downloaded TDSSKiller to my dektop, double-click it, click run, and then nothing happens. Any ideas?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 15 June 2011 - 06:28 PM

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 kelsey m

kelsey m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 15 June 2011 - 10:31 PM

Here's the aswMBR log:

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-16 19:50:11
-----------------------------
19:50:11.406 OS Version: Windows 5.1.2600 Service Pack 2
19:50:11.406 Number of processors: 1 586 0x2C02
19:50:11.406 ComputerName: KELSEY UserName: Kelse
19:50:49.796 Initialize success
19:51:02.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:51:02.609 Disk 0 Vendor: FUJITSU_MHV2060AT_PL 008300A1 Size: 57231MB BusType: 3
19:51:02.734 Disk 0 MBR read successfully
19:51:02.734 Disk 0 MBR scan
19:51:02.750 Disk 0 unknown MBR code
19:51:02.812 Disk 0 scanning sectors +117210240
19:51:03.015 Disk 0 scanning C:\WINDOWS\system32\drivers
19:51:32.562 Service scanning
19:51:52.343 Disk 0 trace - called modules:
19:51:52.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84b0c1ed]<<
19:51:52.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b85ab8]
19:51:52.562 3 CLASSPNP.SYS[f753105b] -> nt!IofCallDriver -> \Device\00000077[0x84be4650]
19:51:52.578 5 ACPI.sys[f73a7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84b6b940]
19:51:52.609 \Driver\atapi[0x84be26e8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x84b0c1ed
19:51:52.734 Scan finished successfully
19:53:46.015 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kelse\Desktop\MBR.dat"
19:53:46.015 The log file has been saved successfully to "C:\Documents and Settings\Kelse\Desktop\aswMBR.txt"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 15 June 2011 - 10:42 PM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 19 June 2011 - 03:07 AM

Hello

change of plans - I want you to run this for me and let me know how things are after - http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 kelsey m

kelsey m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 19 June 2011 - 06:28 AM

That seems to have been quite effective. It found an infected driver VolSnap.sys and then repaired it successfully. The popups and redirect seem to have stopped, thank you! Is there a way to be sure I've seen the last of this virus?

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 PM

Posted 19 June 2011 - 12:01 PM

Hello

very good - try and run TDSSKiller again for me now



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users