Google Links Redirecting?

Google / Chrome
December 20, 2009 at 18:05:54
Specs: Windows XP
I just recently had a bad virus and for the most
part, I got rid of it. Still, I'm guessing that there's something left over because when I search on google, the links will bring me to random ad sites.

I'm glad to hear any advice
Thanks


See More: Google Links Redirecting?

Report •


#1
December 20, 2009 at 18:15:30
Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 20, 2009 at 18:23:09
Log:
Logfile of random's system information tool 1.06 (written by
random/random)
Run by Administrator at 2009-12-20 21:21:34
Microsoft Windows XP Professional Service Pack 3, v.3311
System drive C: has 20 GB (52%) free of 39 GB
Total RAM: 638 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:14 PM, on 12/20/2009
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Administrator\Local
Settings\Application
Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\Bin\hpoSTS08.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Administrator\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Administrator\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My
Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,ShellNext = http://go.microsoft.com/fwlink/?
LinkId=62548
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-
FA578C2EBDC3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-
BCAF-5B79BFDFEA60} - C:\Program
Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-
435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-
BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
/SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
/IMEName
O4 - HKLM\..\Run: [IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir
Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and
Settings\Administrator\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U
shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U
shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U
shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n
/i:U shell32 (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet -
res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with
BitComet - res://C:\Program
Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet
- res://C:\Program
Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-
C1E3DC1AF43A} - res://C:\Program
Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file
missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-
f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968}
(Facebook Photo Uploader 5 Control) -
http://upload.facebook.com/controls...
ebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://fpdownload2.macromedia.com/g...
h/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
(get_atlcom Class) -
http://platformdl.adobe.com/NOS/get...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-
1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler
(AntiVirSchedulerService) - Avira GmbH - C:\Program
Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira
GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - Unknown owner -
C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file
missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) -
Sun Microsystems, Inc. - C:\Program
Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) -
Unknown owner -
C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint
Corporation - C:\Program
Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9071 bytes


Report •

#3
December 20, 2009 at 18:23:29
======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc
1200 series#1249634151.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-
2025429265-879983540-1606980848-500Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-
2025429265-879983540-1606980848-500UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-
E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-
27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{39F7E362-
828A-4B5A-BCAF-5B79BFDFEA60}]
BitComet Helper - C:\Program
Files\BitComet\tools\BitCometBHO_1.3.3.2.dll [2009-03-02
636216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-
A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program
Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-
17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-11
73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
[2008-02-12 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGN
T\TINTSETP.EXE [2008-02-12 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TIN
TSETP.EXE [2008-02-12 455168]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2003-04-06
155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2003-
04-06 114688]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
[2009-03-02 209153]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
[2001-07-09 155648]
"Adobe Reader Speed Launcher"=C:\Program
Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03
35696]
"Adobe ARM"=C:\Program Files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"SunJavaUpdateSched"=C:\Program
Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe
[2009-11-10 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe
[2009-11-12 141600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-
02-12 15360]
"Google Update"=C:\Documents and
Settings\Administrator\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2009-08-29 133104]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe
[2008-02-12 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
[2009-10-03 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12
141600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe [2009-10-09
25623336]

C:\Documents and Settings\All Users\Start
Menu\Programs\Startup
hp psc 1000 series.lnk - C:\Program Files\Hewlett-
Packard\Digital Imaging\bin\hpohmr08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-06 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-03-01 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-
94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18
133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\explorer]
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\
sharedaccess\parameters\firewallpolicy\standardprofile\authori
zedapplications\list]
"%windir%\Network
Diagnostic\xpnetdiag.exe"="%windir%\Network
Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\se
ssmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common
Files\AOL\Loader\aolload.exe"="C:\Program Files\Common
Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program
Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program
Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe"
"C:\Program Files\ooVoo\ooVoo.exe"="C:\Program
Files\ooVoo\ooVoo.exe:*:Enabled:ooVoo"
"C:\Program
Files\Bonjour\mDNSResponder.exe"="C:\Program
Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program
Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE
binary"
"C:\Program Files\AIM\aim.exe"="C:\Program
Files\AIM\aim.exe:*:Enabled:AIM"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program
Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Skype\Plugin
Manager\skypePM.exe"="C:\Program Files\Skype\Plugin
Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program
Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Documents and Settings\Administrator\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe"="C:\Document
s and Settings\Administrator\Local Settings\Application
Data\Google\Chrome\Application\chrome.exe:*:Enabled:Goog
le Chrome"
"C:\Program
Files\softnyx\GunboundWC\GunBound.gme"="C:\Program
Files\softnyx\GunboundWC\GunBound.gme:*:Enabled:GunBo
und"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\
sharedaccess\parameters\firewallpolicy\domainprofile\authoriz
edapplications\list]
"%windir%\Network
Diagnostic\xpnetdiag.exe"="%windir%\Network
Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\se
ssmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1
months======

2009-12-20 21:21:34 ----D---- C:\rsit
2009-12-20 20:56:17 ----D---- C:\Program Files\Trend Micro
2009-12-20 11:21:13 ----D---- C:\Documents and
Settings\Administrator\Application Data\Malwarebytes
2009-12-20 11:21:00 ----D---- C:\Documents and Settings\All
Users\Application Data\Malwarebytes
2009-12-20 11:20:59 ----D---- C:\Program Files\Malwarebytes'
Anti-Malware
2009-12-20 10:46:25 ----A----
C:\WINDOWS\system32\lsdelete.exe
2009-12-20 10:20:22 ----HDC---- C:\Documents and
Settings\All Users\Application Data\{BC9FCCF7-E686-494B-
8C9B-55C9A39A7CA9}
2009-12-20 10:18:29 ----D---- C:\Program Files\Lavasoft
2009-12-20 10:18:29 ----D---- C:\Documents and Settings\All
Users\Application Data\Lavasoft
2009-12-20 00:04:45 ----D----
C:\WINDOWS\system32\NtmsData
2009-12-19 21:27:49 ----D---- C:\Program Files\Alwil Software
2009-12-19 12:47:54 ----A----
C:\WINDOWS\system32\18467.exe
2009-12-09 23:29:49 ----D---- C:\Program Files\Common
Files\INCA Shared
2009-12-06 19:45:19 ----D---- C:\Program Files\Microsoft
Works
2009-12-06 19:42:47 ----D---- C:\Program Files\Microsoft.NET
2009-12-03 00:16:40 ----D---- C:\Program Files\iPod
2009-12-03 00:15:42 ----D---- C:\Program Files\iTunes

======List of files/folders modified in the last 1
months======

2009-12-20 21:21:42 ----D---- C:\WINDOWS\Prefetch
2009-12-20 21:08:31 ----D---- C:\WINDOWS\Temp
2009-12-20 20:56:17 ----RD---- C:\Program Files
2009-12-20 18:34:22 ----D---- C:\Program Files\Mozilla Firefox
2009-12-20 18:26:23 ----A---- C:\WINDOWS\NeroDigital.ini
2009-12-20 17:19:29 ----SD---- C:\WINDOWS\Tasks
2009-12-20 17:12:39 ----D---- C:\temp
2009-12-20 15:04:30 ----D---- C:\WINDOWS\system32
2009-12-20 15:04:26 ----D---- C:\WINDOWS\system32\drivers
2009-12-20 15:03:14 ----A---- C:\WINDOWS\win.ini
2009-12-20 15:03:05 ----SHD---- C:\WINDOWS\Installer
2009-12-20 15:02:36 ----D----
C:\WINDOWS\system32\CatRoot2
2009-12-20 13:52:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-20 13:41:56 ----D---- C:\WINDOWS\Cursors
2009-12-20 10:28:54 ----D---- C:\WINDOWS
2009-12-20 10:25:43 ----HD---- C:\WINDOWS\inf
2009-12-20 10:25:17 ----DC----
C:\WINDOWS\system32\DRVSTORE
2009-12-20 10:06:11 ----SHD---- C:\System Volume
Information
2009-12-20 10:06:11 ----D----
C:\WINDOWS\system32\Restore
2009-12-20 00:04:41 ----SD---- C:\Documents and Settings\All
Users\Application Data\Microsoft
2009-12-19 22:19:47 ----D---- C:\WINDOWS\system32\config
2009-12-19 00:54:16 ----D---- C:\Program Files\ooVoo
2009-12-13 11:56:46 ----D---- C:\Program Files\BitComet
2009-12-09 23:29:49 ----D---- C:\Program Files\Common Files
2009-12-07 19:17:12 ----SD---- C:\Documents and
Settings\Administrator\Application Data\Microsoft
2009-12-06 19:54:42 ----D---- C:\Documents and Settings\All
Users\Application Data\Microsoft Help
2009-12-06 19:46:11 ----RSD---- C:\WINDOWS\assembly
2009-12-06 19:45:17 ----D---- C:\Program Files\Common
Files\Microsoft Shared
2009-12-06 19:43:13 ----RSD---- C:\WINDOWS\Fonts
2009-12-06 19:33:44 ----D---- C:\Program Files\Microsoft
Office
2009-12-03 00:16:37 ----D---- C:\Program Files\Common
Files\Apple
2009-12-03 00:09:49 ----D---- C:\Program Files\QuickTime
2009-12-03 00:05:12 ----D---- C:\WINDOWS\WinSxS
2009-11-28 11:18:12 ----D---- C:\Program Files\OpenOffice.org
3
2009-11-26 18:38:55 ----D---- C:\Documents and
Settings\Administrator\Application Data\Skype
2009-11-26 16:04:20 ----D---- C:\Documents and
Settings\Administrator\Application Data\skypePM

======List of drivers (R=Running, S=Stopped, 0=Boot,
1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir
Desktop\avgio.sys []
R1 avipbb;avipbb;
C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30
96104]
R1 intelppm;Intel Processor Driver;
C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-02-12
36352]
R1 kbdhid;Keyboard HID Driver;
C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-02-12
14592]
R1 ssmdrv;ssmdrv;
C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11
28520]
R2 avgntflt;avgntflt;
C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-07
56816]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R)
Graphics Platform (SoftBIOS) Driver;
C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15
113504]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R)
Graphics Chipset (KCH) Driver;
C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15
78752]
R3 aeaudio;aeaudio;
C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01
4816]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP
Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
[2003-06-30 43136]
R3 GEARAspiWDM;GEAR ASPI Filter Driver;
C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
[2009-05-18 26600]
R3 HidUsb;Microsoft HID Class Driver;
C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-02-11
10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
[2003-04-15 90907]
R3 mouhid;Mouse HID Driver;
C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17
12160]
R3 smwdm;smwdm;
C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28
545024]
R3 usbaudio;USB Audio Driver (WDM);
C:\WINDOWS\system32\drivers\usbaudio.sys [2008-02-12
60032]
R3 usbccgp;Microsoft USB Generic Parent Driver;
C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-02-12
32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller
Miniport Driver;
C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-02-12
30208]
R3 usbhub;USB2 Enabled Hub;
C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-02-12
59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport
Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys
[2008-02-12 20608]
R3 usbvideo;USB Video Device (WDM);
C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-02-12
121984]
S3 CCDECODE;Closed Caption Decoder;
C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-
02-12 17024]
S3 HPZid412;IEEE-1284.4 Driver HPZid412;
C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-
09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12;
C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-
09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver
HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys
[2003-03-09 21456]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video
Capture Driver;
C:\WINDOWS\system32\DRIVERS\ManyCam.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter;
C:\WINDOWS\system32\drivers\MSTEE.sys [2008-02-12
5504]
S3 NABTSFEC;NABTS/FEC VBI Codec;
C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-
02-12 85248]
S3 NdisIP;Microsoft TV/Video Connection;
C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-02-12
10880]
S3 SLIP;BDA Slip De-Framer;
C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-02-12
11136]
S3 streamip;BDA IPSink;
C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-02-
12 15232]
S3 usbprint;Microsoft USB PRINTER Class;
C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-02-12
25856]
S3 USBSTOR;USB Mass Storage Driver;
C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-
02-12 26368]
S3 WSTCODEC;World Standard Teletext Codec;
C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-
02-12 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver
Framework Platform Driver;
C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28
77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver
Framework Reflector;
C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28
82944]
S4 sr;System Restore Filter Driver;
C:\WINDOWS\system32\DRIVERS\sr.sys [2008-02-12
73472]

======List of services (R=Running, S=Stopped, 0=Boot,
1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;
C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-
13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program
Files\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe [2009-07-09
144712]
R2 Bonjour Service;Bonjour Service; C:\Program
Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program
Files\Java\jre6\bin\jqs.exe [2009-10-11 153376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-
12-20 1181328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;
C:\Program Files\Viewpoint\Common\ViewpointService.exe
[2007-01-04 24652]
R3 iPod Service;iPod Service; C:\Program
Files\iPod\bin\iPodService.exe [2009-11-12 545568]
R4 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil
Software\Avast4\ashServ.exe [2009-11-24 138680]
S3 aspnet_state;ASP.NET State Service;
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_
state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime
Optimization Service v2.0.50727_X86;
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsv
w.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font
Cache 3.0.0.0;
C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\Presentat
ionFontCache.exe [2008-07-29 46104]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program
Files\NOS\bin\getPlus_HelperSvc.exe []
S3 idsvc;Windows CardSpace;
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows
Communication Foundation\infocard.exe [2008-07-29 881664]
S3 npggsvc;nProtect GameGuard Service;
C:\WINDOWS\system32\GameMon.des [2009-10-28
3407292]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program
Files\Common Files\Microsoft
Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common
Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26
145184]
S3 Pml Driver HPZ12;Pml Driver HPZ12;
C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]
S3 WMPNetworkSvc;Windows Media Player Network Sharing
Service; C:\Program Files\Windows Media
Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver
Framework; C:\WINDOWS\system32\svchost.exe [2008-02-
12 14336]
S4 aswUpdSv;avast! iAVS4 Control Service; C:\Program
Files\Alwil Software\Avast4\aswUpdSv.exe []
S4 avast! Mail Scanner;avast! Mail Scanner; C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe /service []
S4 avast! Web Scanner;avast! Web Scanner; C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-24
352920]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows
Communication Foundation\SMSvcHost.exe [2008-07-29
132096]

-----------------EOF-----------------


Report •

Related Solutions

#4
December 20, 2009 at 18:23:54
info:
info.txt logfile of random's system information tool 1.06 2009-
12-20 21:22:21

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall
132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-
DFD08AFE0624}
Ad-Aware-->"C:\Documents and Settings\All
Users\Application Data\{BC9FCCF7-E686-494B-8C9B-
55C9A39A7CA9}\Ad-AwareInstallation.exe" REMOVE=TRUE
MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application
Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-
AwareInstallation.exe
Adobe AIR-->c:\Program Files\Common Files\Adobe
AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -
arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-
7FDC93386723}
Adobe Download Manager-->"C:\Program
Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1
Adobe Flash Player 10 ActiveX--
>C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.
exe
Adobe Flash Player 10 Plugin--
>C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.e
xe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-
7B44-A92000000001}
AIM 7-->C:\Program Files\AIM\uninst.exe
AIM MusicLink 4.0.0.0--
>C:\PROGRA~1\AIMMUS~1\UNWISE.EXE
C:\PROGRA~1\AIMMUS~1\INSTALL.LOG
AIM MusicLink 4.1.0.0--
>C:\PROGRA~1\AIMMUS~1\UNWISE.EXE
C:\PROGRA~1\AIMMUS~1\INSTALL.LOG
ALTools Update-->"C:\Program
Files\ESTsoft\ALUpdate\unins000.exe"
ALZip-->"C:\Program Files\ESTsoft\ALZip\unins000.exe"
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-
45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-
C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-
4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program
Files\Avira\AntiVir Desktop\setup.exe /REMOVE
BitComet 1.13-->C:\Program Files\BitComet\uninst.exe
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-
3D777245C35B}
Broadcom 440x 10/100 Integrated Controller--
>C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\I
Driver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61}
/l1033
DivX Web Player-->C:\Program
Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Download Updater (AOL LLC)-->C:\Program Files\Common
Files\Software Update Utility\uninstall.exe
DTS+AC3 ÇÊÅÍ-->"C:\Program Files\DtsFilter\uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\trend
micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)--
>C:\WINDOWS\system32\msiexec.exe /package
{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall
/qb+ REBOOTPROMPT=""
HP Photo and Imaging 2.0 - All-in-One Drivers-->MsiExec.exe
/X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - All-in-One-->MsiExec.exe
/X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - hp psc 1200 series-->C:\Program
Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-
4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile
hposcr02.dat -forcereboot
hp psc 1200 series-->MsiExec.exe /X{C900EF06-2E76-49C7-
8DB0-41F629B21DC5}
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE
C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx
PCI\VEN_8086&DEV_2562
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-
8849A2A700D5}
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-
4CA4-87B4-2F83216016FF}
LAME v3.98.2 for Audacity-->"C:\Program Files\Lame for
Audacity\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program
Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2--
>MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-
6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2--
>MsiExec.exe /I{A3051CD0-2F64-3813-A88D-
B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1--
>C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft
.NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe
/I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe
/X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007--
>MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program
Files\Common Files\Microsoft Shared\OFFICE12\Office Setup
Controller\setup.exe" /uninstall ENTERPRISE /dll
OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-
0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe
/X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe
/X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007--
>MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe
/X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe
/X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe
/X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007--
>MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe
/X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe
/X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe
/X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe
/X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)--
>msiexec /package {90120000-001F-0409-0000-
0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-
DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)--
>msiexec /package {90120000-001F-040C-0000-
0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-
EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)--
>msiexec /package {90120000-001F-0C0A-0000-
0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-
D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe
/X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe
/X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007--
>MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word 2007-->"C:\Program Files\Common
Files\Microsoft Shared\OFFICE12\Office Setup
Controller\setup.exe" /uninstall WORD /dll OSETUP.DLL
Microsoft Office Word 2007-->MsiExec.exe /X{90120000-
001B-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe
/X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-
5061-4776-8D5D-E3D931C778E1}
Microsoft Visual C++ 2008 Redistributable - x86
9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-
21E6EC160475}
Mozilla Firefox (2.0.0.20)-->C:\Program Files\Mozilla
Firefox\uninstall\helper.exe
Nero 6 Ultra Edition-->C:\Program
Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
ooVoo-->"C:\Program Files\InstallShield Installation
Information\{FAA7F8FF-3C05-4A61-8F14-
D8A6E9ED6623}\setup.exe" -runfromtemp -l0x0009 -
removeonly
PopCap Browser Plugin-->C:\Program Files\PopCap
Games\PopCap Browser Plugin\Uninstall.exe
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-
B363A17588A2}
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-
B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-
DB24763BBE36}
SoundMAX-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\C
tor.dll,LaunchSetup "C:\Program Files\InstallShield
Installation Information\{F0A37341-D692-11D4-A984-
009027EC0A9C}\Setup.exe"
Spelling Dictionaries Support For Adobe Reader 9--
>MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe
/I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Viewpoint Media Player-->C:\Program
Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Media Format 11 runtime-->"C:\Program
Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11-->"C:\Program Files\Windows
Media Player\Setup_wm.exe" /Uninstall

======Hosts File======

127.0.0.1 mpa.one.microsoft.com

======Security center information======

AV: AntiVir Desktop (disabled) (outdated)


Report •

#5
December 20, 2009 at 18:24:09
======System event log======

Computer Name: USER-B7BE4B94BF
Event Code: 10016
Message: The application-specific permission settings do not
grant Local Launch permission for the COM Server application
with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This
security permission can be modified using the Component
Services administrative tool.

Record Number: 8049
Source Name: DCOM
Time Written: 20091122192807.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: USER-B7BE4B94BF
Event Code: 10016
Message: The application-specific permission settings do not
grant Local Launch permission for the COM Server application
with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This
security permission can be modified using the Component
Services administrative tool.

Record Number: 8002
Source Name: DCOM
Time Written: 20091122092913.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: USER-B7BE4B94BF
Event Code: 36
Message: The time service has not been able to synchronize
the system time
for 49152 seconds because none of the time providers has
been able to
provide a usable time stamp. The system clock is
unsynchronized.

Record Number: 7998
Source Name: W32Time
Time Written: 20091121225611.000000-300
Event Type: warning
User:

Computer Name: USER-B7BE4B94BF
Event Code: 10016
Message: The application-specific permission settings do not
grant Local Launch permission for the COM Server application
with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This
security permission can be modified using the Component
Services administrative tool.

Record Number: 7939
Source Name: DCOM
Time Written: 20091121091647.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: USER-B7BE4B94BF
Event Code: 10016
Message: The application-specific permission settings do not
grant Local Launch permission for the COM Server application
with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This
security permission can be modified using the Component
Services administrative tool.

Record Number: 7900
Source Name: DCOM
Time Written: 20091120194322.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: USER-B7BE4B94BF
Event Code: 1002
Message: Hanging application firefox.exe, version
1.8.20081.21709, hang module hungapp, version 0.0.0.0,
hang address 0x00000000.

Record Number: 161
Source Name: Application Hang
Time Written: 20090725220914.000000-240
Event Type: error
User:

Computer Name: USER-B7BE4B94BF
Event Code: 1002
Message: Hanging application firefox.exe, version
1.8.20081.21709, hang module hungapp, version 0.0.0.0,
hang address 0x00000000.

Record Number: 160
Source Name: Application Hang
Time Written: 20090725124157.000000-240
Event Type: error
User:

Computer Name: USER-B7BE4B94BF
Event Code: 8
Message: Failed auto update retrieval of third-party root list
sequence number from:
<http://www.download.windowsupdate.com/msdownload/upda
te/v3/static/trustedr/en/authrootseq.txt> with error: This
operation returned because the timeout period expired.


Record Number: 159
Source Name: crypt32
Time Written: 20090724105451.000000-240
Event Type: error
User:

Computer Name: USER-B7BE4B94BF
Event Code: 8
Message: Failed auto update retrieval of third-party root list
sequence number from:
<http://www.download.windowsupdate.com/msdownload/upda
te/v3/static/trustedr/en/authrootseq.txt> with error: This
operation returned because the timeout period expired.


Record Number: 154
Source Name: crypt32
Time Written: 20090723102640.000000-240
Event Type: error
User:

Computer Name: USER-B7BE4B94BF
Event Code: 1517
Message: Windows saved user USER-
B7BE4B94BF\Administrator registry while an application or
service was still using the registry during log off. The memory
used by the user's registry has not been freed. The registry
will be unloaded when it is no longer in use.


This is often caused by services running as a user account,
try configuring the services to run in either the LocalService or
NetworkService account.

Record Number: 149
Source Name: Userenv
Time Written: 20090723020517.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%Syste
mRoot%\System32\Wbem;C:\Program
Files\ESTsoft\ALZip;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2
Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.W
SF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program
Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------


Report •

#6
December 20, 2009 at 18:36:51
I tried to run Gmer.exe, but in the middle of scanning, a
message came up that said "(file name).exe has encountered a
problem and has to turn off" or something.
Then my computer restarted itself.

Report •

#7
December 20, 2009 at 18:43:13
1. Download TDSSKiller and save it to your Desktop.
2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


4. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
5. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#8
December 20, 2009 at 18:52:41

Host Name: USER-B7BE4B94BF
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3, v.3311 Build
2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: USER
Registered Organization:
Product ID: 55274-640-6214726-23160
Original Install Date: 7/15/2009, 2:19:58 AM
System Up Time: 0 Days, 0 Hours, 21 Minutes, 3
Seconds
System Manufacturer: Dell Computer Corporation
System Model: Dimension 2400
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 2 Stepping 9
GenuineIntel ~2193 Mhz
BIOS Version: DELL - 7
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US &
Canada)
Total Physical Memory: 638 MB
Available Physical Memory: 188 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,004 MB
Virtual Memory: In Use: 44 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\USER-B7BE4B94BF
Hotfix(s): 10 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: Q147222
[05]: IDNMitigationAPIs
[06]: NLSDownlevelMapping
[07]: MSCompPackV1 - Update
[08]: KB888111 - Update
[09]: KB915865 - Update
[10]: KB954550-v5 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: Broadcom 440x 10/100 Integrated
Controller
Connection Name: Local Area
Connection
DHCP Enabled: Yes
DHCP Server: 192.168.0.1
IP address(es)
[01]: 192.168.0.104
21:55:24:390 1088 ForceUnloadDriver: NtUnloadDriver error
2
21:55:24:406 1088 ForceUnloadDriver: NtUnloadDriver error
2
21:55:24:406 1088 ForceUnloadDriver: NtUnloadDriver error
2
21:55:24:406 1088 main: Driver KLMD successfully
dropped
21:55:24:500 1088 main: Driver KLMD successfully loaded
21:55:24:500 1088
Scanning Registry ...
21:55:24:500 1088 ScanServices: Searching service
UACd.sys
21:55:24:500 1088 ScanServices: Open/Create key error 2
21:55:24:500 1088 ScanServices: Searching service
TDSSserv.sys
21:55:24:500 1088 ScanServices: Open/Create key error 2
21:55:24:500 1088 ScanServices: Searching service
gaopdxserv.sys
21:55:24:500 1088 ScanServices: Open/Create key error 2
21:55:24:500 1088 ScanServices: Searching service
gxvxcserv.sys
21:55:24:500 1088 ScanServices: Open/Create key error 2
21:55:24:500 1088 ScanServices: Searching service
MSIVXserv.sys
21:55:24:500 1088 ScanServices: Open/Create key error 2
21:55:24:515 1088 UnhookRegistry: Kernel module file
name: C:\windows\system32\ntoskrnl.exe, base addr:
804D7000
21:55:24:671 1088 UnhookRegistry: Kernel local addr:
E40000
21:55:24:703 1088 UnhookRegistry:
KeServiceDescriptorTable addr: EC3220
21:55:24:765 1088 UnhookRegistry: KiServiceTable addr:
E4B6A8
21:55:24:765 1088 UnhookRegistry: NtEnumerateKey
service number (local): 47
21:55:24:765 1088 UnhookRegistry: NtEnumerateKey local
addr: ED9D64
21:55:24:765 1088 KLMD_OpenDevice: Trying to open
KLMD device
21:55:24:765 1088 KLMD_GetSystemRoutineAddressA:
Trying to get system routine address ZwEnumerateKey
21:55:24:765 1088 KLMD_GetSystemRoutineAddressW:
Trying to get system routine address ZwEnumerateKey
21:55:24:765 1088 KLMD_ReadMem: Trying to
ReadMemory 0x804DCC49[0x4]
21:55:24:765 1088 UnhookRegistry: NtEnumerateKey
service number (kernel): 47
21:55:24:765 1088 KLMD_ReadMem: Trying to
ReadMemory 0x804E27C4[0x4]
21:55:24:765 1088 UnhookRegistry: NtEnumerateKey real
addr: 80570D64
21:55:24:765 1088 UnhookRegistry: NtEnumerateKey calc
addr: 80570D64
21:55:24:765 1088 UnhookRegistry: No SDT hooks found
on NtEnumerateKey
21:55:24:765 1088 KLMD_ReadMem: Trying to
ReadMemory 0x80570D64[0xA]
21:55:24:765 1088 UnhookRegistry: No splicing found on
NtEnumerateKey
21:55:24:765 1088
Scanning Kernel memory ...
21:55:24:781 1088 KLMD_OpenDevice: Trying to open
KLMD device
21:55:24:781 1088
KLMD_GetSystemObjectAddressByNameA: Trying to get
system object address by name \Driver\Disk
21:55:24:781 1088
KLMD_GetSystemObjectAddressByNameW: Trying to get
system object address by name \Driver\Disk
21:55:24:781 1088 DetectCureTDL3: \Driver\Disk
PDRIVER_OBJECT: 82BDFA08
21:55:24:781 1088 DetectCureTDL3:
KLMD_GetDeviceObjectList returned 2 DevObjects
21:55:24:781 1088 DetectCureTDL3: 0 Curr stack
PDEVICE_OBJECT: 82B979F0
21:55:24:781 1088 KLMD_GetLowerDeviceObject: Trying
to get lower device object for 82B979F0
21:55:24:781 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82B979F0[0x38]
21:55:24:781 1088 DetectCureTDL3: DRIVER_OBJECT
addr: 82BDFA08
21:55:24:781 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82BDFA08[0xA8]
21:55:24:781 1088 KLMD_ReadMem: Trying to
ReadMemory 0xE101AFB8[0x208]
21:55:24:781 1088 DetectCureTDL3: DRIVER_OBJECT
name: \Driver\Disk, Driver Name: Disk
21:55:24:781 1088 DetectCureTDL3: IrpHandler (0) addr:
F8C2CBB0
21:55:24:781 1088 DetectCureTDL3: IrpHandler (1) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (2) addr:
F8C2CBB0
21:55:24:781 1088 DetectCureTDL3: IrpHandler (3) addr:
F8C26D1F
21:55:24:781 1088 DetectCureTDL3: IrpHandler (4) addr:
F8C26D1F
21:55:24:781 1088 DetectCureTDL3: IrpHandler (5) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (6) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (7) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (8) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (9) addr:
F8C272E2
21:55:24:781 1088 DetectCureTDL3: IrpHandler (10) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (11) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (12) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (13) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (14) addr:
F8C273BB
21:55:24:781 1088 DetectCureTDL3: IrpHandler (15) addr:
F8C2AF28
21:55:24:781 1088 DetectCureTDL3: IrpHandler (16) addr:
F8C272E2
21:55:24:781 1088 DetectCureTDL3: IrpHandler (17) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (18) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (19) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (20) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (21) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (22) addr:
F8C28C82
21:55:24:781 1088 DetectCureTDL3: IrpHandler (23) addr:
F8C2D99E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (24) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (25) addr:
804FA87E
21:55:24:781 1088 DetectCureTDL3: IrpHandler (26) addr:
804FA87E
21:55:24:781 1088 KLMD_ReadMem: Trying to
ReadMemory 0x0[0x400]
21:55:24:781 1088 KLMD_ReadMem: DeviceIoControl error
1
21:55:24:781 1088 TDL3_StartIoHookDetect: Unable to get
StartIo handler code
21:55:24:781 1088 TDL3_FileDetect: Processing driver:
Disk
21:55:24:781 1088 TDL3_FileDetect: Parameters:
C:\WINDOWS\system32\drivers\disk.sys,
C:\WINDOWS\system32\Drivers\tsk_disk.sys,
SYSTEM\CurrentControlSet\Services\Disk,
system32\Drivers\tsk_disk.sys
21:55:24:781 1088 TDL3_FileDetect: Processing driver file:
C:\WINDOWS\system32\drivers\disk.sys
21:55:24:781 1088 KLMD_CreateFileW: Trying to open file
C:\WINDOWS\system32\drivers\disk.sys
21:55:24:812 1088 DetectCureTDL3: 1 Curr stack
PDEVICE_OBJECT: 82B7EAB8
21:55:24:843 1088 KLMD_GetLowerDeviceObject: Trying
to get lower device object for 82B7EAB8
21:55:24:843 1088 DetectCureTDL3: 1 Curr stack
PDEVICE_OBJECT: 82B93D98
21:55:24:843 1088 KLMD_GetLowerDeviceObject: Trying
to get lower device object for 82B93D98
21:55:24:843 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82B93D98[0x38]
21:55:24:843 1088 DetectCureTDL3: DRIVER_OBJECT
addr: 82B18A48
21:55:24:843 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82B18A48[0xA8]
21:55:24:843 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82B58030[0x38]
21:55:24:843 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82B83308[0xA8]
21:55:24:843 1088 KLMD_ReadMem: Trying to
ReadMemory 0xE10159C8[0x208]
21:55:24:843 1088 DetectCureTDL3: DRIVER_OBJECT
name: \Driver\atapi, Driver Name: atapi
21:55:24:843 1088 DetectCureTDL3: IrpHandler (0) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (1) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (2) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (3) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (4) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (5) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (6) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (7) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (8) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (9) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (10) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (11) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (12) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (13) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (14) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (15) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (16) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (17) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (18) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (19) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (20) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (21) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (22) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (23) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (24) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (25) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: IrpHandler (26) addr:
82B36618
21:55:24:843 1088 DetectCureTDL3: All IRP handlers
pointed to one addr: 82B36618
21:55:24:843 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82B36618[0x400]
21:55:24:843 1088 TDL3_IrpHookDetect:
CheckParameters: 4, FFDF0308, 313, 101, 3, 89
21:55:24:843 1088 Driver "atapi" Irp handler infected by
TDSS rootkit ... 21:55:24:843 1088 KLMD_WriteMem:
Trying to WriteMemory 0x82B3667D[0xD]
21:55:24:843 1088 cured
21:55:24:843 1088 KLMD_ReadMem: Trying to
ReadMemory 0x82B364BF[0x400]
21:55:24:843 1088 TDL3_StartIoHookDetect:
CheckParameters: 7, FFDF0308, 334, 1
21:55:24:843 1088 Driver "atapi" StartIo handler infected by
TDSS rootkit ... 21:55:24:843 1088
TDL3_StartIoHookCure: Number of patches 1
21:55:24:843 1088 KLMD_WriteMem: Trying to
WriteMemory 0x82B365B6[0x6]
21:55:24:843 1088 cured
21:55:24:843 1088 TDL3_FileDetect: Processing driver:
atapi
21:55:24:843 1088 TDL3_FileDetect: Parameters:
C:\WINDOWS\system32\drivers\atapi.sys,
C:\WINDOWS\system32\Drivers\tsk_atapi.sys,
SYSTEM\CurrentControlSet\Services\atapi,
system32\Drivers\tsk_atapi.sys
21:55:24:843 1088 TDL3_FileDetect: Processing driver file:
C:\WINDOWS\system32\drivers\atapi.sys
21:55:24:843 1088 KLMD_CreateFileW: Trying to open file
C:\WINDOWS\system32\drivers\atapi.sys
21:55:24:906 1088 File
C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS
rootkit ... 21:55:24:906 1088 TDL3_FileCure: Processing
driver file: C:\WINDOWS\system32\drivers\atapi.sys
21:55:24:906 1088 KLMD_CreateFileW: Trying to open file
C:\WINDOWS\system32\drivers\atapi.sys
21:55:24:906 1088 TDL3_FileCure: Dumping cured buffer to
file C:\WINDOWS\system32\Drivers\tsk_atapi.sys
21:55:24:984 1088 TDL3_FileCure: Image path
(system32\Drivers\tsk_atapi.sys) was set for service
(SYSTEM\CurrentControlSet\Services\atapi)
21:55:24:984 1088 TDL3_FileCure: KLMD_PendCopyFileW
(C:\WINDOWS\system32\Drivers\tsk_atapi.sys,
C:\WINDOWS\system32\drivers\atapi.sys) success
21:55:24:984 1088 will be cured on next reboot
21:55:24:984 1088
Completed

Results:
21:55:25:0 1088 Infected objects in memory:
2
21:55:25:0 1088 Cured objects in memory: 2
21:55:25:0 1088 Infected objects on disk: 1
21:55:25:0 1088 Objects on disk cured on reboot: 1
21:55:25:0 1088 Objects on disk deleted on reboot:
0
21:55:25:0 1088 Registry nodes deleted on reboot:
0
21:55:25:0 1088


Report •

#9
December 20, 2009 at 19:17:32
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.

Then navigate to and make sure this file exist:


C:\Windows\System32\drivers\atapi.sys

If so exit and restart the computer, if not do not restart the computer. Let me know.


Report •

#10
December 20, 2009 at 19:26:52
It exists.
What should I do after I've restarted my computer?

Report •

#11
December 20, 2009 at 19:33:59
Go to add/remove programs and unistll these programs:


Viewpoint Media Player (known to harbor spyware)

Remember..your Avira/Avast antivirus (you should uninstall one of the antivirus programs, you only need one), and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#12
December 20, 2009 at 19:59:59
ComboFix 09-12-20.03 - Administrator 12/20/2009
22:53:39.1.1 - x86
Running from: c:\documents and settings\Administrator\My
Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled*
(Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\18467.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-
21 )))))))))))))))))))))))))))))))
.

2009-12-21 02:55 . 2009-12-21 02:55 96512 ----a-w-
c:\windows\system32\drivers\tsk_atapi.sys
2009-12-21 02:55 . 2009-12-21 02:55 16904 ----a-w-
c:\windows\system32\drivers\KLMD.sys
2009-12-21 02:21 . 2009-12-21 02:22 -------- d-----w-
C:\rsit
2009-12-21 01:56 . 2009-12-21 02:22 -------- d-----w-
c:\program files\Trend Micro
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w-
c:\documents and settings\Administrator\Application
Data\Malwarebytes
2009-12-20 16:21 . 2009-12-03 21:14 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 16:21 . 2009-12-20 16:21 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-12-20 16:20 . 2009-12-20 16:21 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2009-12-20 16:20 . 2009-12-03 21:13 19160 ----a-w-
c:\windows\system32\drivers\mbam.sys
2009-12-20 15:46 . 2009-12-02 13:19 15880 ----a-w-
c:\windows\system32\lsdelete.exe
2009-12-20 15:25 . 2009-12-02 13:19 64288 ----a-w-
c:\windows\system32\drivers\Lbd.sys
2009-12-20 15:20 . 2009-12-20 15:20 -------- dc-h--w-
c:\documents and settings\All Users\Application
Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-20 15:20 . 2009-12-07 14:10 2953352 -c--a-w-
c:\documents and settings\All Users\Application
Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-
AwareInstallation.exe
2009-12-20 15:18 . 2009-12-20 15:25 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Lavasoft
2009-12-20 15:18 . 2009-12-20 15:18 -------- d-----w-
c:\program files\Lavasoft
2009-12-20 05:04 . 2009-12-20 05:05 -------- d-----w-
c:\windows\system32\NtmsData
2009-12-20 02:27 . 2009-12-20 02:27 -------- d-----w-
c:\program files\Alwil Software
2009-12-10 04:30 . 2005-01-01 09:43 4682 ----a-w-
c:\windows\system32\npptNT2.sys
2009-12-10 04:29 . 2009-12-10 04:29 -------- d-----w-
c:\program files\Common Files\INCA Shared
2009-12-07 00:45 . 2009-12-07 00:45 -------- d-----w-
c:\program files\Microsoft Works
2009-12-07 00:42 . 2009-12-07 00:42 -------- d-----w-
c:\program files\Microsoft.NET
2009-12-03 05:16 . 2009-12-03 05:16 -------- d-----w-
c:\program files\iPod
2009-12-03 05:15 . 2009-12-03 05:18 -------- d-----w-
c:\program files\iTunes
2009-12-03 05:02 . 2009-12-03 05:02 79144 ----a-w-
c:\documents and settings\All Users\Application Data\Apple
Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 03:45 . 2009-07-19 23:27 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Viewpoint
2009-12-21 03:45 . 2009-07-19 23:27 -------- d-----w-
c:\program files\Viewpoint
2009-12-21 03:31 . 2008-02-12 10:13 96512 ----a-w-
c:\windows\system32\drivers\atapi.sys
2009-12-19 05:54 . 2009-08-22 03:55 -------- d-----w-
c:\program files\ooVoo
2009-12-13 16:56 . 2009-07-21 04:53 -------- d-----w-
c:\program files\BitComet
2009-12-08 01:08 . 2009-07-16 03:48 56816 ----a-w-
c:\windows\system32\drivers\avgntflt.sys
2009-12-07 00:54 . 2009-07-16 04:02 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Microsoft Help
2009-12-07 00:46 . 2009-07-20 00:02 50968 ----a-w-
c:\documents and settings\Administrator\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-03 05:16 . 2009-07-19 23:54 -------- d-----w-
c:\program files\Common Files\Apple
2009-12-03 05:09 . 2009-09-24 11:21 -------- d-----w-
c:\program files\QuickTime
2009-11-28 16:18 . 2009-11-02 00:15 -------- d-----w-
c:\program files\OpenOffice.org 3
2009-11-27 05:07 . 2009-10-17 20:09 40288 ---ha-w-
c:\windows\system32\mlfcache.dat
2009-11-26 23:38 . 2009-07-22 00:04 -------- d-----w-
c:\documents and settings\Administrator\Application
Data\Skype
2009-11-26 21:04 . 2009-07-22 00:07 -------- d-----w-
c:\documents and settings\Administrator\Application
Data\skypePM
2009-11-07 19:00 . 2009-08-30 06:58 -------- d-----w-
c:\program files\Java
2009-11-07 18:59 . 2009-11-07 18:59 152576 ----a-w-
c:\documents and settings\Administrator\Application
Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-05 21:29 . 2009-11-05 21:29 -------- d-----w-
c:\program files\PopCap Games
2009-11-02 00:23 . 2009-11-02 00:23 1 ----a-w-
c:\documents and settings\Administrator\Application
Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-02 00:22 . 2009-11-02 00:22 -------- d-----w-
c:\documents and settings\Administrator\Application
Data\OpenOffice.org
2009-10-27 04:31 . 2009-10-27 04:31 -------- d-----w-
c:\program files\Lame for Audacity
2009-10-26 20:56 . 2009-10-26 20:56 -------- d-----w-
c:\documents and settings\All Users\Application Data\AIM
2009-10-26 20:56 . 2009-10-26 20:56 -------- d-----w-
c:\program files\AIM
2009-10-26 20:55 . 2009-10-26 20:55 -------- d-----w-
c:\program files\Common Files\Software Update Utility
2009-10-11 09:17 . 2009-08-30 07:02 411368 ----a-w-
c:\windows\system32\deploytk.dll
2009-08-10 00:00 . 2009-08-10 00:00 604 ---ha-w-
c:\program files\STLL Notifier
2008-12-17 21:59 . 2009-07-22 23:35 67688 ----a-w-
c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 . 2009-07-22 23:35 54368 ----a-w-
c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 . 2009-07-22 23:35 34944 ----a-w-
c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 . 2009-07-22 23:35 46712 ----a-w-
c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 . 2009-07-22 23:35 172136 ----a-w-
c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w-
c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w-
c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-12-21 03:31 .
B3F70CF6AC21C276F47361022BA79E00 . 96512 . . [------] . .
c:\windows\system32\drivers\atapi.sys
[7] 2008-02-12 . 7316AFA8EFA110621D6D90722AF3EFE6 .
96512 . . [5.1.2600.3311] . .
c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\
atapi.sys
[7] 2008-02-12 . 7316AFA8EFA110621D6D90722AF3EFE6 .
96512 . . [5.1.2600.3311] . .
c:\windows\system32\dllcache\atapi.sys

[-] 2008-03-01 . F245584ACFC1B372DE3FC083BD7FD59B .
361344 . . [5.1.2600.3311] . .
c:\windows\system32\drivers\tcpip.sys

[-] 2008-03-01 . EC8988B97C4C71A7604AE97DDB149361 .
1614848 . . [5.1.2600.3311] . .
c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"Google Update"="c:\documents and
settings\Administrator\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe" [2009-08-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE"
[2008-02-12 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\T
INTSETP.EXE" [2008-02-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTS
ETP.EXE" [2008-02-12 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07
155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-
04-07 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe"
[2009-03-02 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe"
[2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program
files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03
35696]
"Adobe ARM"="c:\program files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program
files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe"
[2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Curr
entVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE"
[2008-02-12 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Curr
entVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-
Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program
files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program
files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Skype]
2009-10-09 18:11 25623336 ----a-r- c:\program
files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common
Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Administrator\\Local
Settings\\Application
Data\\Google\\Chrome\\Application\\chrome.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\GloballyOpenPorts\List]
"27600:TCP"= 27600:TCP:BitComet 27600 TCP
"27600:UDP"= 27600:UDP:BitComet 27600 UDP
"65000:TCP"= 65000:TCP:BitComet 65000 TCP
"65000:UDP"= 65000:UDP:BitComet 65000 UDP
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/20/2009
10:25 AM 64288]
R2 AntiVirSchedulerService;Avira AntiVir
Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe
[7/15/2009 10:48 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe
[12/2/2009 8:19 AM 1181328]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video
Capture
Driver;c:\windows\system32\DRIVERS\ManyCam.sys -->
c:\windows\system32\DRIVERS\ManyCam.sys [?]
S3 npggsvc;nProtect GameGuard
Service;c:\windows\system32\GameMon.des -service -->
c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD_SYSTEM
*Deregistered* - KLMD_System
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program
files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program
files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program
files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and
settings\Administrator\Application
Data\Mozilla\Firefox\Profiles\9k983wsn.default\
FF - component: c:\documents and
settings\Administrator\Application
Data\Mozilla\Firefox\Profiles\9k983wsn.default\extensions\{B0
42753D-F57E-4e8e-A01B-
7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla
Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla
Firefox\extensions\{B13721C7-F507-4982-B2E5-
502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla
Firefox\extensions\talkback@mozilla.org\components\qfaservi
ces.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate
- false.
- - - - ORPHANS REMOVED - - - -

AddRemove-AIM MusicLink 4.0.0.0 -
c:\progra~1\AIMMUS~1\UNWISE.EXE
AddRemove-AIM MusicLink 4.1.0.0 -
c:\progra~1\AIMMUS~1\UNWISE.EXE
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} -
c:\program files\NOS\bin\getPlus_HelperSvc.exe

***********************************************************************
***

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 22:58
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************************
***

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n
pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2009-12-20 23:01:54
ComboFix-quarantined-files.txt 2009-12-21 04:01

Pre-Run: 21,081,186,304 bytes free
Post-Run: 21,317,169,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery
Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft
Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 862ED0C12EE1EB6BB9CBC83A0FCAF295


Report •

#13
December 20, 2009 at 20:21:59
Are you still being redirected?

Report •

#14
December 20, 2009 at 20:23:24
No I'm not!

Thanks so much for the help!
=)


Report •

#15
December 20, 2009 at 20:35:55
A little clean-up to do.

Delete RSIT, GMER.exe, TDSSKiller from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •


Ask Question