Search results redirects to other websites

December 13, 2009 at 05:45:47
Specs: Windows XP, athlon 2gb
When I do web searches, it redirects to other websites. I have alreay run mbam and it said 0 infections. Can someone help me with this problem?

See More: Search results redirects to other websites

Report •


#1
December 13, 2009 at 12:24:43
Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 14, 2009 at 05:38:50
#1 Log from RSIT.exe

info.txt logfile of random's system information tool 1.06 2009-12-14 08:41:45

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOLIcon-->MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATT eChat Support Tools-->MsiExec.exe /I{77EBC8CD-F808-4ECD-93D0-311C27B09827}
ATT-PRT22-->C:\PROGRA~1\ATT-PR~1\UNWISE.EXE C:\PROGRA~1\ATT-PR~1\INSTALL.LOG
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Broadcom Management Programs-->MsiExec.exe /I{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}
Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{001AB29C-5468-4972-8D24-2EBDB2B12133}
Canon Camera Window DS for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6B8BDABA-6737-4998-AEE4-E218EDE5FC7A}
Canon Camera Window MC 5 for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{89EB3ED7-225A-412E-B048-623D502C000F}
Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{68D27126-BF6A-457D-8DD0-5F35E8D41310}
Canon PhotoRecord-->MsiExec.exe /X{6693BD7C-CB4E-43AC-A0D6-10D1A1B88DCF}
Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{001EB665-D9EC-415E-9E13-AD2125B2B992}
Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell CinePlayer-->MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Support 3.2.1-->MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Documentation & Support Launcher-->MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
EarthLink Setup Files-->MsiExec.exe /X{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}
Fraps-->"C:\Fraps\uninstall.exe"
Free Realms Installer-->C:\Program Files\Sony Online Entertainment\uninst.exe
Games, Music, & Photos Launcher-->MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
hp officejet 6100 series-->MsiExec.exe /X{12BB7942-1E1F-43D9-B441-4668C1629425}
HP Photo and Imaging 2.0 - All-in-One Drivers-->MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - All-in-One-->MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - hp officejet 6100 series-->C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
HyperCam 2-->"C:\Program Files\HyCam2\UnHyCam2.exe"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveUpdate 3.1 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C252EB7B-7AE0-46DE-9BEE-DF681B885F13}\setup.exe" -l0x9 -removeonly
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NVIDIA Drivers-->C:\WINDOWS\system32\nvuide.exe UninstallGUI
OTOY-->RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SearchAssist-->C:\DELL\SearchAssist\UninstSA.bat
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Solid State ION Internet Explorer Plugin-->C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\soliduninstall.exe /Uninstall activex
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Symantec AntiVirus-->MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Hosts File======

127.0.0.1 localhost
::1 localhost
??????????????? browser-security.microsoft.com
??????????????? antiwareprotect.com
??????????????? www.antiwareprotect.com

======Security center information======

AV: Symantec AntiVirus Corporate Edition

======System event log======

Computer Name: D65Q6XC1
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
nvatabus
nvraid

Record Number: 55057
Source Name: Service Control Manager
Time Written: 20091111084116.000000-300
Event Type: error
User:

Computer Name: D65Q6XC1
Event Code: 7024
Message: The McAfee Real-time Scanner service terminated with service-specific error 5046 (0x13B6).

Record Number: 55055
Source Name: Service Control Manager
Time Written: 20091111084104.000000-300
Event Type: error
User:

Computer Name: D65Q6XC1
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
nvatabus
nvraid

Record Number: 55013
Source Name: Service Control Manager
Time Written: 20091111061937.000000-300
Event Type: error
User:

Computer Name: D65Q6XC1
Event Code: 7024
Message: The McAfee Real-time Scanner service terminated with service-specific error 5046 (0x13B6).

Record Number: 55011
Source Name: Service Control Manager
Time Written: 20091111061926.000000-300
Event Type: error
User:

Computer Name: D65Q6XC1
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 54998
Source Name: Tcpip
Time Written: 20091110082011.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: D65Q6XC1
Event Code: 5046
Message: The McShield scanning service cannot find any configuration in the registry


Record Number: 12254
Source Name: McLogEvent
Time Written: 20090716180205.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: D65Q6XC1
Event Code: 5041
Message: The McAfee McShield scanning service loaded naiann.dll but it reported the wrong version
Viruses will still be detected but no alerting will occur

Record Number: 12253
Source Name: McLogEvent
Time Written: 20090716180205.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: D65Q6XC1
Event Code: 1004
Message: Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'PowerPointUserData', component '{8ADD2C9A-C8B7-11D1-9C67-0000F81F1B38}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\UserData' does not exist.

Record Number: 12247
Source Name: MsiInstaller
Time Written: 20090715081103.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: D65Q6XC1
Event Code: 1004
Message: Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'OfficeUserData', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Record Number: 12246
Source Name: MsiInstaller
Time Written: 20090715081059.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: D65Q6XC1
Event Code: 5046
Message: The McShield scanning service cannot find any configuration in the registry


Record Number: 12238
Source Name: McLogEvent
Time Written: 20090715075305.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=6b01
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------


Report •

#3
December 14, 2009 at 05:40:02
RSIT.exe maximized:


Logfile of random's system information tool 1.06 (written by random/random)
Run by Valerie at 2009-12-14 08:41:08
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 135 GB (91%) free of 149 GB
Total RAM: 446 MB (25% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:41 AM, on 12/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\BDJ44FLQ\RSIT[1].exe
C:\Program Files\trend micro\Valerie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft.com
O1 - Hosts: ??????????????? antiwareprotect.com
O1 - Hosts: ??????????????? www.antiwareprotect.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updatemgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://my.att.net
O15 - Trusted Zone: http://webmail.att.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/dow...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/so...
O18 - Filter hijack: text/html - {a9363d63-1c64-400e-b09c-ca506601e9f7} - C:\WINDOWS\system32\xwreg32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TipCtrl - Unknown owner - C:\Program Files\uTIPu\TipCtrl.exe (file missing)

--
End of file - 9206 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1194093221.job
C:\WINDOWS\tasks\rnvmjdbr.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-08-23 7630848]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-08-23 86016]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-10-05 94208]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2006-08-15 282624]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-07-19 52896]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-09-27 125168]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"ISUSPM Startup"=c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2004-07-27 221184]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=C:\Program Files\Dell Support\DSAgnt.exe [2006-08-28 395776]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"updatemgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-01-08 4363504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcnasvc"=2
"mcmscsvc"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2006-09-27 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcods]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcods]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mpfservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\solidnm.exe"="C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\solidnm.exe:*:Enabled:Solid State Networks Browser Plugin"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-12-14 08:41:09 ----D---- C:\Program Files\trend micro
2009-12-14 08:41:08 ----D---- C:\rsit
2009-12-09 08:10:58 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-09 08:10:40 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-09 08:10:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-09 08:09:30 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-09 08:09:11 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-01 07:07:44 ----SHD---- C:\Config.Msi
2009-11-29 12:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2009-11-29 12:57:42 ----D---- C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2009-11-24 17:07:31 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-24 17:07:21 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$

======List of files/folders modified in the last 1 months======

2009-12-14 08:41:09 ----RD---- C:\Program Files
2009-12-14 08:41:02 ----D---- C:\WINDOWS\Prefetch
2009-12-14 08:36:14 ----D---- C:\WINDOWS\Temp
2009-12-14 08:10:28 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-14 08:07:31 ----D---- C:\Program Files\Symantec AntiVirus
2009-12-14 08:02:32 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-12-14 08:01:12 ----D---- C:\WINDOWS
2009-12-13 09:37:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-11 16:44:44 ----D---- C:\WINDOWS\system32
2009-12-09 08:27:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-09 08:24:07 ----D---- C:\Program Files\Internet Explorer
2009-12-09 08:11:04 ----HD---- C:\WINDOWS\inf
2009-12-09 08:11:00 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-12-09 08:11:00 ----D---- C:\WINDOWS\system32\drivers
2009-12-09 08:10:47 ----A---- C:\WINDOWS\imsins.BAK
2009-12-09 08:10:19 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-09 08:10:05 ----D---- C:\WINDOWS\system32\en-US
2009-12-06 09:12:33 ----D---- C:\Program Files\Google
2009-12-06 09:12:33 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-12-06 09:12:32 ----SHD---- C:\WINDOWS\Installer
2009-12-03 09:22:50 ----D---- C:\Program Files\Shared
2009-12-03 09:11:39 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-01 15:06:19 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-24 17:07:02 ----D---- C:\WINDOWS\WinSxS
2009-11-19 17:22:10 ----D---- C:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 mpfp;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2007-05-01 8552]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-08-14 44544]
R3 dfmirage;dfmirage; C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2008-10-29 31896]
R3 DSproct;DSproct; \??\C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091129.002\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091129.002\navex15.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-08-23 3959712]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-08-15 1171464]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
S3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-07-19 169632]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-09-27 31472]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2009-01-26 303104]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-09-27 1813232]
R3 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-07-19 192160]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 mcshield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-08-23 155715]
S2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
S3 TipCtrl;TipCtrl; C:\Program Files\uTIPu\TipCtrl.exe []
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 mcafee siteadvisor service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-12-05 206096]
S4 mcods;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S4 mcproxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe []
S4 mcsysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S4 mpfservice;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]

-----------------EOF-----------------


Report •

Related Solutions

#4
December 14, 2009 at 07:00:36
gmer log

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 09:47:45
Windows 5.1.2600 Service Pack 3
Running: xd83opvp[1].exe; Driver: C:\DOCUME~1\Valerie\LOCALS~1\Temp\pxtoapow.sys


---- System - GMER 1.0.15 ----

SSDT 847F0310 ZwAlertResumeThread
SSDT 847E15C0 ZwAlertThread
SSDT 848D54E8 ZwAllocateVirtualMemory
SSDT 849298B0 ZwConnectPort
SSDT 848BCF48 ZwCreateMutant
SSDT 84921A68 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEE045350]
SSDT 848B3288 ZwFreeVirtualMemory
SSDT 84914E48 ZwImpersonateAnonymousToken
SSDT 848C44F0 ZwImpersonateThread
SSDT 848C1870 ZwMapViewOfSection
SSDT 84AA9ED0 ZwOpenEvent
SSDT 849F0348 ZwOpenProcessToken
SSDT 8477CC70 ZwOpenThreadToken
SSDT 84AA9E00 ZwQueryValueKey
SSDT 847A8058 ZwResumeThread
SSDT 849219A0 ZwSetContextThread
SSDT 847F9128 ZwSetInformationProcess
SSDT 848D53D8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEE045580]
SSDT 848F4E68 ZwSuspendProcess
SSDT 84965EF8 ZwSuspendThread
SSDT 847AB310 ZwTerminateProcess
SSDT 847E8260 ZwTerminateThread
SSDT 848C6DA0 ZwUnmapViewOfSection
SSDT 848D5458 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C08 805044A4 4 Bytes CALL 14D4D1FD
.rsrc C:\WINDOWS\system32\drivers\nvata.sys entry point in ".rsrc" section [0xF72DDEA4]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6465360, 0x2456AE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[900] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0080000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B6C21D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\nvata \Device\Harddisk0\DR0 84ABB618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification

---- EOF - GMER 1.0.15 ----



Report •

#5
December 14, 2009 at 19:28:14
Navigate to add/remove programs and uninstall these programs:


URL Assistant
Viewpoint Media Player


Navigate to and delete this folder

C:\Program Files\BAE

Remember..your Nortons antivirus must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Please download OTL from following site:

Link1

1. Save it to your desktop
2. Double click the OTL icon on your desktop.
3. Under the Custom Scans/Fixes box at the bottom, paste in the following,everything between the X's:


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Post a new Hijack This log from RSIT please.


Report •

#6
December 16, 2009 at 04:53:56
I am unable to download combofix . There's a message that pops up saying that comfix has issues to be resolved.

Report •

#7
December 16, 2009 at 20:01:27
ComboFix will be down for a while yet.

1. Download TDSSKiller and save it to your Desktop.
2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


4. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
5. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#8
December 21, 2009 at 10:19:37
13:17:57:187 2704 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
13:17:57:187 2704 ================================================================================
13:17:57:187 2704 SystemInfo:

13:17:57:187 2704 OS Version: 5.1.2600 ServicePack: 3.0
13:17:57:187 2704 Product type: Workstation
13:17:57:187 2704 ComputerName: D65Q6XC1
13:17:57:187 2704 UserName: Valerie
13:17:57:187 2704 Windows directory: C:\WINDOWS
13:17:57:187 2704 Processor architecture: Intel x86
13:17:57:187 2704 Number of processors: 2
13:17:57:187 2704 Page size: 0x1000
13:17:57:218 2704 Boot type: Normal boot
13:17:57:218 2704 ================================================================================
13:17:57:218 2704 ForceUnloadDriver: NtUnloadDriver error 2
13:17:57:218 2704 ForceUnloadDriver: NtUnloadDriver error 2
13:17:57:218 2704 ForceUnloadDriver: NtUnloadDriver error 2
13:17:57:218 2704 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
13:17:57:312 2704 main: Driver KLMD successfully dropped
13:17:57:343 2704 main: Driver KLMD successfully loaded
13:17:57:343 2704
Scanning Registry ...
13:17:57:406 2704 ScanServices: Searching service UACd.sys
13:17:57:406 2704 ScanServices: Open/Create key error 2
13:17:57:406 2704 ScanServices: Searching service TDSSserv.sys
13:17:57:406 2704 ScanServices: Open/Create key error 2
13:17:57:406 2704 ScanServices: Searching service gaopdxserv.sys
13:17:57:406 2704 ScanServices: Open/Create key error 2
13:17:57:406 2704 ScanServices: Searching service gxvxcserv.sys
13:17:57:406 2704 ScanServices: Open/Create key error 2
13:17:57:406 2704 ScanServices: Searching service MSIVXserv.sys
13:17:57:406 2704 ScanServices: Open/Create key error 2
13:17:57:578 2704 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
13:17:57:703 2704 UnhookRegistry: Kernel local addr: E40000
13:17:57:703 2704 UnhookRegistry: KeServiceDescriptorTable addr: EC5700
13:17:57:750 2704 UnhookRegistry: KiServiceTable addr: E6D460
13:17:57:750 2704 UnhookRegistry: NtEnumerateKey service number (local): 47
13:17:57:750 2704 UnhookRegistry: NtEnumerateKey local addr: F8CFF2
13:17:57:765 2704 KLMD_OpenDevice: Trying to open KLMD device
13:17:57:765 2704 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
13:17:57:765 2704 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
13:17:57:765 2704 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
13:17:57:765 2704 UnhookRegistry: NtEnumerateKey service number (kernel): 47
13:17:57:765 2704 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
13:17:57:765 2704 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
13:17:57:765 2704 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
13:17:57:765 2704 UnhookRegistry: No SDT hooks found on NtEnumerateKey
13:17:57:765 2704 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
13:17:57:765 2704 UnhookRegistry: No splicing found on NtEnumerateKey
13:17:57:765 2704
Scanning Kernel memory ...
13:17:57:765 2704 KLMD_OpenDevice: Trying to open KLMD device
13:17:57:765 2704 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
13:17:57:765 2704 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
13:17:57:765 2704 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84B916C0
13:17:57:765 2704 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
13:17:57:765 2704 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 84B1E030
13:17:57:765 2704 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B1E030
13:17:57:765 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B1E030[0x38]
13:17:57:765 2704 DetectCureTDL3: DRIVER_OBJECT addr: 84B916C0
13:17:57:765 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B916C0[0xA8]
13:17:57:765 2704 KLMD_ReadMem: Trying to ReadMemory 0xE179BD00[0x208]
13:17:57:765 2704 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
13:17:57:765 2704 DetectCureTDL3: IrpHandler (0) addr: F74ADBB0
13:17:57:765 2704 DetectCureTDL3: IrpHandler (1) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (2) addr: F74ADBB0
13:17:57:765 2704 DetectCureTDL3: IrpHandler (3) addr: F74A7D1F
13:17:57:765 2704 DetectCureTDL3: IrpHandler (4) addr: F74A7D1F
13:17:57:765 2704 DetectCureTDL3: IrpHandler (5) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (6) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (7) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (8) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (9) addr: F74A82E2
13:17:57:765 2704 DetectCureTDL3: IrpHandler (10) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (11) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (12) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (13) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (14) addr: F74A83BB
13:17:57:765 2704 DetectCureTDL3: IrpHandler (15) addr: F74ABF28
13:17:57:765 2704 DetectCureTDL3: IrpHandler (16) addr: F74A82E2
13:17:57:765 2704 DetectCureTDL3: IrpHandler (17) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (18) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (19) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (20) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (21) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (22) addr: F74A9C82
13:17:57:765 2704 DetectCureTDL3: IrpHandler (23) addr: F74AE99E
13:17:57:765 2704 DetectCureTDL3: IrpHandler (24) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (25) addr: 804F4562
13:17:57:765 2704 DetectCureTDL3: IrpHandler (26) addr: 804F4562
13:17:57:765 2704 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
13:17:57:765 2704 KLMD_ReadMem: DeviceIoControl error 1
13:17:57:765 2704 TDL3_StartIoHookDetect: Unable to get StartIo handler code
13:17:57:765 2704 TDL3_FileDetect: Processing driver: Disk
13:17:57:765 2704 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
13:17:57:765 2704 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
13:17:57:781 2704 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
13:17:57:812 2704 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 84B238A0
13:17:57:812 2704 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B238A0
13:17:57:812 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B238A0[0x38]
13:17:57:812 2704 DetectCureTDL3: DRIVER_OBJECT addr: 84B916C0
13:17:57:812 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B916C0[0xA8]
13:17:57:812 2704 KLMD_ReadMem: Trying to ReadMemory 0xE179BD00[0x208]
13:17:57:812 2704 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
13:17:57:812 2704 DetectCureTDL3: IrpHandler (0) addr: F74ADBB0
13:17:57:812 2704 DetectCureTDL3: IrpHandler (1) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (2) addr: F74ADBB0
13:17:57:812 2704 DetectCureTDL3: IrpHandler (3) addr: F74A7D1F
13:17:57:812 2704 DetectCureTDL3: IrpHandler (4) addr: F74A7D1F
13:17:57:812 2704 DetectCureTDL3: IrpHandler (5) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (6) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (7) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (8) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (9) addr: F74A82E2
13:17:57:812 2704 DetectCureTDL3: IrpHandler (10) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (11) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (12) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (13) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (14) addr: F74A83BB
13:17:57:812 2704 DetectCureTDL3: IrpHandler (15) addr: F74ABF28
13:17:57:812 2704 DetectCureTDL3: IrpHandler (16) addr: F74A82E2
13:17:57:812 2704 DetectCureTDL3: IrpHandler (17) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (18) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (19) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (20) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (21) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (22) addr: F74A9C82
13:17:57:812 2704 DetectCureTDL3: IrpHandler (23) addr: F74AE99E
13:17:57:812 2704 DetectCureTDL3: IrpHandler (24) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (25) addr: 804F4562
13:17:57:812 2704 DetectCureTDL3: IrpHandler (26) addr: 804F4562
13:17:57:812 2704 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
13:17:57:812 2704 KLMD_ReadMem: DeviceIoControl error 1
13:17:57:812 2704 TDL3_StartIoHookDetect: Unable to get StartIo handler code
13:17:57:812 2704 TDL3_FileDetect: Processing driver: Disk
13:17:57:812 2704 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
13:17:57:812 2704 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
13:17:57:812 2704 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
13:17:57:828 2704 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 84B23C68
13:17:57:828 2704 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B23C68
13:17:57:828 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B23C68[0x38]
13:17:57:828 2704 DetectCureTDL3: DRIVER_OBJECT addr: 84B916C0
13:17:57:828 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B916C0[0xA8]
13:17:57:828 2704 KLMD_ReadMem: Trying to ReadMemory 0xE179BD00[0x208]
13:17:57:828 2704 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
13:17:57:828 2704 DetectCureTDL3: IrpHandler (0) addr: F74ADBB0
13:17:57:828 2704 DetectCureTDL3: IrpHandler (1) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (2) addr: F74ADBB0
13:17:57:828 2704 DetectCureTDL3: IrpHandler (3) addr: F74A7D1F
13:17:57:828 2704 DetectCureTDL3: IrpHandler (4) addr: F74A7D1F
13:17:57:828 2704 DetectCureTDL3: IrpHandler (5) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (6) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (7) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (8) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (9) addr: F74A82E2
13:17:57:828 2704 DetectCureTDL3: IrpHandler (10) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (11) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (12) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (13) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (14) addr: F74A83BB
13:17:57:828 2704 DetectCureTDL3: IrpHandler (15) addr: F74ABF28
13:17:57:828 2704 DetectCureTDL3: IrpHandler (16) addr: F74A82E2
13:17:57:828 2704 DetectCureTDL3: IrpHandler (17) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (18) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (19) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (20) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (21) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (22) addr: F74A9C82
13:17:57:828 2704 DetectCureTDL3: IrpHandler (23) addr: F74AE99E
13:17:57:828 2704 DetectCureTDL3: IrpHandler (24) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (25) addr: 804F4562
13:17:57:828 2704 DetectCureTDL3: IrpHandler (26) addr: 804F4562
13:17:57:828 2704 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
13:17:57:828 2704 KLMD_ReadMem: DeviceIoControl error 1
13:17:57:828 2704 TDL3_StartIoHookDetect: Unable to get StartIo handler code
13:17:57:828 2704 TDL3_FileDetect: Processing driver: Disk
13:17:57:828 2704 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
13:17:57:828 2704 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
13:17:57:828 2704 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
13:17:57:828 2704 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 84B25AB8
13:17:57:828 2704 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B25AB8
13:17:57:828 2704 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 84AB5F18
13:17:57:828 2704 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84AB5F18
13:17:57:828 2704 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 84A8C650
13:17:57:828 2704 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84A8C650
13:17:57:828 2704 KLMD_ReadMem: Trying to ReadMemory 0x84A8C650[0x38]
13:17:57:843 2704 DetectCureTDL3: DRIVER_OBJECT addr: 84A953E8
13:17:57:843 2704 KLMD_ReadMem: Trying to ReadMemory 0x84A953E8[0xA8]
13:17:57:843 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B8F030[0x38]
13:17:57:843 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B91B38[0xA8]
13:17:57:843 2704 KLMD_ReadMem: Trying to ReadMemory 0xE179A478[0x208]
13:17:57:843 2704 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata
13:17:57:843 2704 DetectCureTDL3: IrpHandler (0) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (1) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (2) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (3) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (4) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (5) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (6) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (7) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (8) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (9) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (10) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (11) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (12) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (13) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (14) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (15) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (16) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (17) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (18) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (19) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (20) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (21) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (22) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (23) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (24) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (25) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: IrpHandler (26) addr: 84B29618
13:17:57:843 2704 DetectCureTDL3: All IRP handlers pointed to one addr: 84B29618
13:17:57:843 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B29618[0x400]
13:17:57:843 2704 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
13:17:57:843 2704 Driver "nvata" Irp handler infected by TDSS rootkit ... 13:17:57:843 2704 KLMD_WriteMem: Trying to WriteMemory 0x84B2967D[0xD]
13:17:57:843 2704 cured
13:17:57:843 2704 KLMD_ReadMem: Trying to ReadMemory 0x84B294BF[0x400]
13:17:57:843 2704 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1
13:17:57:843 2704 Driver "nvata" StartIo handler infected by TDSS rootkit ... 13:17:57:843 2704 TDL3_StartIoHookCure: Number of patches 1
13:17:57:843 2704 KLMD_WriteMem: Trying to WriteMemory 0x84B295B6[0x6]
13:17:57:843 2704 cured
13:17:57:843 2704 TDL3_FileDetect: Processing driver: nvata
13:17:57:859 2704 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\nvata.sys, C:\WINDOWS\system32\Drivers\nvata.tsk, SYSTEM\CurrentControlSet\Services\nvata, system32\Drivers\nvata.tsk
13:17:57:859 2704 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\nvata.sys
13:17:57:859 2704 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvata.sys
13:17:57:890 2704 File C:\WINDOWS\system32\drivers\nvata.sys infected by TDSS rootkit ... 13:17:57:890 2704 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\nvata.sys
13:17:57:890 2704 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvata.sys
13:17:57:906 2704 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\nvata.tsk
13:17:57:984 2704 TDL3_FileCure: Image path (system32\Drivers\nvata.tsk) was set for service (SYSTEM\CurrentControlSet\Services\nvata)
13:17:57:984 2704 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\nvata.tsk, C:\WINDOWS\system32\drivers\nvata.sys) success
13:17:57:984 2704 will be cured on next reboot
13:17:57:984 2704
Completed

Results:
13:17:57:984 2704 Infected objects in memory: 2
13:17:57:984 2704 Cured objects in memory: 2
13:17:57:984 2704 Infected objects on disk: 1
13:17:57:984 2704 Objects on disk cured on reboot: 1
13:17:57:984 2704 Objects on disk deleted on reboot: 0
13:17:57:984 2704 Registry nodes deleted on reboot: 0
13:17:57:984 2704


Report •

#9
December 21, 2009 at 10:26:22
Please restart the computer.

Follow the directions in response #5 and run ComboFix , post its log.

And let me know if you are stll being redirected.


Report •

#10
December 22, 2009 at 06:12:09
ComboFix 09-12-21.04 - Valerie 12/22/2009 8:55.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.94 [GMT -5:00]
Running from: c:\documents and settings\Valerie\My Documents\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared

.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-14 13:41 . 2009-12-14 13:41 -------- d-----w- c:\program files\trend micro
2009-12-14 13:41 . 2009-12-14 13:41 -------- d-----w- C:\rsit
2009-12-02 19:47 . 2009-12-02 19:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-12-02 12:54 . 2009-12-03 14:22 -------- d-----w- c:\documents and settings\Valerie\Local Settings\Application Data\uamcdn
2009-11-29 17:58 . 2009-11-29 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-11-29 17:57 . 2009-11-29 17:57 1421449 ----a-w- c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_BurgerRush\IAF.dll
2009-11-29 17:57 . 2009-11-29 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NeoEdge Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 13:47 . 2008-05-05 12:32 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-21 18:26 . 2007-05-01 22:12 105472 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-12-21 18:17 . 2009-12-21 18:17 105472 ----a-w- c:\windows\system32\drivers\nvata.tsk
2009-12-06 14:12 . 2007-05-01 22:32 -------- d-----w- c:\program files\Google
2009-12-03 14:11 . 2009-05-02 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 07:46 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 13:01 . 2009-10-20 13:01 183 ---ha-w- c:\documents and settings\Valerie\hpothb07.dat
2009-10-13 10:30 . 2004-08-10 17:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 17:51 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"updatemgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-09 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-5-1 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-5 147456]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcods]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcnasvc"=2 (0x2)
"mcmscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [10/29/2008 6:05 PM 31896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 8:00 AM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
S3 TipCtrl;TipCtrl;"c:\program files\uTIPu\TipCtrl.exe" --> c:\program files\uTIPu\TipCtrl.exe [?]
S4 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/28/2008 1:37 PM 206096]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: att.net\my
Trusted Zone: att.net\webmail
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 09:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvata]
"ImagePath"="system32\Drivers\nvata.tsk"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-22 09:10:14
ComboFix-quarantined-files.txt 2009-12-22 14:10

Pre-Run: 142,018,686,976 bytes free
Post-Run: 142,664,650,752 bytes free

- - End Of File - - 7174606368152BFBBBA8EA21FA0C7915


Report •

#11
December 22, 2009 at 06:23:44
All processes killed
Error: Unable to interpret <Commands> in the current context!
Error: Unable to interpret <[purity]> in the current context!
Error: Unable to interpret <[resethosts]> in the current context!
Error: Unable to interpret <[emptytemp]> in the current context!
Error: Unable to interpret <[Reboot]> in the current context!

OTL by OldTimer - Version 3.1.19.0 log created on 12222009_091854

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


I am not being redirected to other websites. Thank you


Report •

#12
December 22, 2009 at 08:06:44
If you know what this folder is:

c:\documents and settings\Valerie\Local Settings\Application Data\uamcdn

then you can remove it from the combofix script, otherise it looks suspicious.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
Folder:
c:\documents and settings\All Users\Application Data\Trymedia

DIRLOOK::
c:\documents and settings\Valerie\Local Settings\Application Data\uamcdn

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.



Report •

#13
December 23, 2009 at 06:05:42
ComboFix 09-12-22.06 - Valerie 12/23/2009 8:41.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.109 [GMT -5:00]
Running from: c:\documents and settings\Valerie\My Documents\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-22 14:18 . 2009-12-22 14:18 -------- d-----w- C:\_OTL
2009-12-14 13:41 . 2009-12-14 13:41 -------- d-----w- c:\program files\trend micro
2009-12-14 13:41 . 2009-12-14 13:41 -------- d-----w- C:\rsit
2009-12-02 19:47 . 2009-12-02 19:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-29 17:58 . 2009-11-29 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-11-29 17:57 . 2009-11-29 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NeoEdge Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 13:49 . 2008-05-05 12:32 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-21 18:26 . 2007-05-01 22:12 105472 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-12-21 18:17 . 2009-12-21 18:17 105472 ----a-w- c:\windows\system32\drivers\nvata.tsk
2009-12-06 14:12 . 2007-05-01 22:32 -------- d-----w- c:\program files\Google
2009-12-03 14:11 . 2009-05-02 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 17:57 . 2009-11-29 17:57 1421449 ----a-w- c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_BurgerRush\IAF.dll
2009-10-29 07:46 . 2004-08-10 17:51 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 13:01 . 2009-10-20 13:01 183 ---ha-w- c:\documents and settings\Valerie\hpothb07.dat
2009-10-13 10:30 . 2004-08-10 17:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 17:51 79872 ----a-w- c:\windows\system32\raschap.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Valerie\Local Settings\Application Data\uamcdn ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"updatemgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-09 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-5-1 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-5 147456]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcods]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcnasvc"=2 (0x2)
"mcmscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [10/29/2008 6:05 PM 31896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 8:00 AM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
S3 TipCtrl;TipCtrl;"c:\program files\uTIPu\TipCtrl.exe" --> c:\program files\uTIPu\TipCtrl.exe [?]
S4 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/28/2008 1:37 PM 206096]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: att.net\my
Trusted Zone: att.net\webmail
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 08:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvata]
"ImagePath"="system32\Drivers\nvata.tsk"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2009-12-23 09:05:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-23 14:05
ComboFix2.txt 2009-12-23 13:38
ComboFix3.txt 2009-12-22 14:10

Pre-Run: 142,542,917,632 bytes free
Post-Run: 142,509,989,888 bytes free

- - End Of File - - 0F82B91E32884EF60E1035CAB2980313


Report •

#14
December 23, 2009 at 10:35:09
The computer appears to be clean.

A little clean-up to do.

Delete RSIT, Gmer, TDSSKiller, from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •


Ask Question