google redirect and getting worse

April 7, 2010 at 17:21:46
Specs: Windows Vista
i have tried avir antivirus and also ad aware
im in the process of doing step one from another post by
using malwarebytes so i will see after but please do help me
oh i am referring to google redirect virus and also if it were not for my system restore point i was able to get to i wouldn't be able to open any programs without it saying "choose file to open with" in which even if i do find it on my pc it still wont run so eventually i cant even run adaware or avir to even try finding the problem

See More: google redirect and getting worse

Report •

#1
April 7, 2010 at 20:06:57
Follow Tufenuf's advice at this link:

http://jogtheweb.computing.net/articles/open-with/Security-1 (copy/paste into your browser)

Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt (do not zip just copy/paste)

Save both reports to your desktop then post them please.You may need to post in segments to get all the info to us as the logs may be to large to fit in one post.


Report •

#2
April 8, 2010 at 09:41:43
it looks like there are a lot of this computer infection lately. I wonder if people are catching it while browsing malicious websites or while they try to download cracked software! it doesn't look like a chance if so many users have got the same issue all of a sudden...

teaching english profile


Report •

#3
April 8, 2010 at 09:54:20

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST
THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 3/28/2010 9:11:59 PM
System Uptime: 4/8/2010 9:45:39 AM (0 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz
| Microprocessor | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 110 GiB total, 42.325 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Base System Device
Device ID:
PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\
4&56BBDF8&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID:
PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\
4&56BBDF8&0&0AF0
Service:

Class GUID:
Description: Base System Device
Device ID:
PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\
4&56BBDF8&0&0BF0
Manufacturer:
Name: Base System Device
PNP Device ID:
PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\
4&56BBDF8&0&0BF0
Service:

==== System Restore Points ===================

RP34: 4/6/2010 7:07:05 PM - Restore Operation
RP44: 4/7/2010 4:44:01 PM - Restore Operation
RP45: 4/7/2010 4:57:06 PM - good start

==== Installed Programs ======================

µTorrent
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Avira AntiVir Personal - Free Antivirus
Bonjour
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2008 Redistributable - x86
9.0.30729.4148
Norton AntiVirus
OEM Logo and Information
QuickTime
Safari
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.5
WinRAR archiver

==== Event Viewer Messages From Past Week ========

4/8/2010 9:31:25 AM, Error: Service Control Manager [7011]
- A timeout (30000 milliseconds) was reached while waiting
for a transaction response from the ShellHWDetection
service.
4/8/2010 9:05:27 AM, Error: Service Control Manager [7026]
- The following boot-start or system-start driver(s) failed to
load: avipbb BHDrvx86 ccHP eeCtrl IDSVix86 spldr SRTSP
SRTSPX ssmdrv SymIRON SYMTDIv Wanarpv6
4/8/2010 8:57:40 AM, Error: Service Control Manager [7026]
- The following boot-start or system-start driver(s) failed to
load: AFD avipbb BHDrvx86 ccHP CSC DfsC eeCtrl
IDSVix86 NetBIOS netbt nsiproxy PSched RasAcd rdbss
Smb spldr SRTSP SRTSPX ssmdrv SymIRON SYMTDIv tdx
Wanarpv6
4/7/2010 9:56:15 AM, Error: EventLog [6008] - The previous
system shutdown at 9:48:03 AM on 4/7/2010 was
unexpected.
4/7/2010 9:24:13 AM, Error: EventLog [6008] - The previous
system shutdown at 9:21:50 AM on 4/7/2010 was
unexpected.
4/7/2010 9:22:35 AM, Error: Service Control Manager [7031]
- The Windows Search service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.
4/7/2010 9:22:29 AM, Error: Service Control Manager [7034]
- The Bonjour Service service terminated unexpectedly. It
has done this 1 time(s).
4/7/2010 8:36:27 PM, Error: EventLog [6008] - The previous
system shutdown at 8:36:19 PM on 4/7/2010 was
unexpected.
4/7/2010 8:22:31 PM, Error: Service Control Manager [7034]
- The plasservice service terminated unexpectedly. It has
done this 1 time(s).
4/7/2010 4:57:03 PM, Error: Microsoft-Windows-Windows
Defender [2004] - Windows Defender has encountered an
error trying to load signatures and will attempt reverting back
to a known-good set of signatures. Signatures
Attempted: Current Error Code: 0x8050a001 Error
description: The program can't find definition files that help
detect unwanted software. Check for updates to the definition
files, and then try again. For information on installing
updates, see Help and Support. Signatures loading:
Backup Loading signature version: 1.79.953.0 Loading
engine version: 1.1.5605.0
4/7/2010 4:31:24 PM, Error: EventLog [6008] - The previous
system shutdown at 4:17:48 PM on 4/7/2010 was
unexpected.
4/7/2010 10:56:21 AM, Error: Microsoft-Windows-
DistributedCOM [10016] - The machine-default permission
settings do not grant Local Activation permission for the
COM Server application with CLSID {9BA05972-F6A8-11CF-
A442-00A0C90A8F39} to the user first-PC\first SID (S-1-5-
21-1452401792-129757957-2289015568-1000) from address
LocalHost (Using LRPC). This security permission can be
modified using the Component Services administrative tool.
4/7/2010 10:56:21 AM, Error: Microsoft-Windows-
DistributedCOM [10016] - The machine-default permission
settings do not grant Local Activation permission for the
COM Server application with CLSID {682159D9-C321-47CA-
B3F1-30E36B2EC8B9} to the user first-PC\first SID (S-1-5-
21-1452401792-129757957-2289015568-1000) from address
LocalHost (Using LRPC). This security permission can be
modified using the Component Services administrative tool.
4/7/2010 10:05:25 AM, Error: Microsoft-Windows-
DistributedCOM [10005] - DCOM got error "1084"
attempting to start the service WSearch with arguments "" in
order to run the server: {9E175B6D-F52A-11D8-B9A5-
505054503030}
4/7/2010 10:04:51 AM, Error: Microsoft-Windows-
DistributedCOM [10005] - DCOM got error "1068"
attempting to start the service netprofm with arguments "" in
order to run the server: {A47979D2-C419-11D9-A5B4-
001185AD2B89}
4/7/2010 10:04:51 AM, Error: Microsoft-Windows-
DistributedCOM [10005] - DCOM got error "1068"
attempting to start the service netman with arguments "" in
order to run the server: {BA126AD1-2166-11D1-B1D0-
00805FC1270E}
4/7/2010 10:04:51 AM, Error: Microsoft-Windows-
DistributedCOM [10005] - DCOM got error "1068"
attempting to start the service fdPHost with arguments "" in
order to run the server: {145B4335-FE2A-4927-A040-
7C35AD3180EF}
4/7/2010 10:04:50 AM, Error: Microsoft-Windows-
DistributedCOM [10005] - DCOM got error "1084"
attempting to start the service EventSystem with arguments
"" in order to run the server: {1BE1F766-5536-11D1-B726-
00C04FB926AF}
4/7/2010 10:04:42 AM, Error: Microsoft-Windows-
DistributedCOM [10005] - DCOM got error "1084"
attempting to start the service ShellHWDetection with
arguments "" in order to run the server: {DD522ACC-F821-
461A-A407-50B198B896DC}
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7026] - The following boot-start or system-start driver(s)
failed to load: AFD aswRdr aswSP aswTdi CSC DfsC
NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr
tdx Wanarpv6
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The Workstation service depends on the Network
Store Interface Service service which failed to start because
of the following error: The dependency service or group failed
to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The WebDav Client Redirector Driver service
depends on the Redirected Buffering Sub Sysytem service
which failed to start because of the following error: A device
attached to the system is not functioning.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The WebClient service depends on the WebDav
Client Redirector Driver service which failed to start because
of the following error: The dependency service or group failed
to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The TCP/IP NetBIOS Helper service depends on the
Ancilliary Function Driver for Winsock service which failed to
start because of the following error: A device attached to the
system is not functioning.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The SMB MiniRedirector Wrapper and Engine
service depends on the Redirected Buffering Sub Sysytem
service which failed to start because of the following error: A
device attached to the system is not functioning.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The SMB 2.0 MiniRedirector service depends on the
SMB MiniRedirector Wrapper and Engine service which
failed to start because of the following error: The
dependency service or group failed to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The SMB 1.x MiniRedirector service depends on the
SMB MiniRedirector Wrapper and Engine service which
failed to start because of the following error: The
dependency service or group failed to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The Network Store Interface Service service
depends on the NSI proxy service service which failed to
start because of the following error: A device attached to the
system is not functioning.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The Network Location Awareness service depends
on the Network Store Interface Service service which failed to
start because of the following error: The dependency service
or group failed to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The Network List Service service depends on the
Network Location Awareness service which failed to start
because of the following error: The dependency service or
group failed to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The Network Connections service depends on the
Network Store Interface Service service which failed to start
because of the following error: The dependency service or
group failed to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The IP Helper service depends on the Network
Store Interface Service service which failed to start because
of the following error: The dependency service or group failed
to start.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The DNS Client service depends on the NetIO
Legacy TDI Support Driver service which failed to start
because of the following error: A device attached to the
system is not functioning.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The DHCP Client service depends on the Ancilliary
Function Driver for Winsock service which failed to start
because of the following error: A device attached to the
system is not functioning.
4/7/2010 10:04:30 AM, Error: Service Control Manager
[7001] - The Computer Browser service depends on the
Server service which failed to start because of the following
error: The dependency service or group failed to start.
4/7/2010 10:04:21 AM, Error: EventLog [6008] - The
previous system shutdown at 10:03:07 AM on 4/7/2010 was
unexpected.
4/6/2010 9:21:30 AM, Error: Ntfs [55] - The file system
structure on the disk is corrupt and unusable. Please run the
chkdsk utility on the volume Skimpkid.
4/6/2010 8:56:11 PM, Error: EventLog [6008] - The previous
system shutdown at 8:55:14 PM on 4/6/2010 was
unexpected.
4/6/2010 8:42:20 PM, Error: Service Control Manager [7030]
- The PEVSystemStart service is marked as an interactive
service. However, the system is configured to not allow
interactive services. This service may not function properly.
4/6/2010 8:12:10 AM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Windows Management Instrumentation service, but
this action failed with the following error: An instance of the
service is already running.
4/6/2010 8:12:10 AM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Remote Access Connection Manager service, but this
action failed with the following error: An instance of the
service is already running.
4/6/2010 7:56:12 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Base Filtering Engine service, but this action failed
with the following error: An instance of the service is already
running.
4/6/2010 7:56:12 PM, Error: Service Control Manager [7024]
- The Windows Firewall service terminated with service-
specific error 2150760449 (0x80320001).
4/6/2010 7:56:01 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the DHCP Client service, but this action failed with the
following error: An instance of the service is already running.
4/6/2010 7:55:57 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Multimedia Class Scheduler service, but this action
failed with the following error: An instance of the service is
already running.
4/6/2010 7:55:51 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Telephony service, but this action failed with the
following error: An instance of the service is already running.
4/6/2010 7:55:47 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Secure Socket Tunneling Protocol Service service, but
this action failed with the following error: An instance of the
service is already running.
4/6/2010 7:55:47 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Network Store Interface Service service, but this action
failed with the following error: An instance of the service is
already running.
4/6/2010 7:55:27 PM, Error: srv [2018] - The server was
unable to allocate from the system paged pool because the
server reached the configured limit for paged pool allocations.
4/6/2010 7:55:04 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Windows Audio Endpoint Builder service, but this
action failed with the following error: An instance of the
service is already running.
4/6/2010 7:55:00 PM, Error: Service Control Manager [7032]
- The Service Control Manager tried to take a corrective
action (Restart the service) after the unexpected termination
of the Windows Event Log service, but this action failed with
the following error: An instance of the service is already
running.
4/6/2010 7:19:41 PM, Error: Microsoft-Windows-Windows
Defender [2004] - Windows Defender has encountered an
error trying to load signatures and will attempt reverting back
to a known-good set of signatures. Signatures
Attempted: Current Error Code: 0x8050a001 Error
description: The program can't find definition files that help
detect unwanted software. Check for updates to the definition
files, and then try again. For information on installing
updates, see Help and Support. Signatures loading:
Backup Loading signature version: 1.79.953.0 Loading
engine version: 1.1.5605.0
4/5/2010 9:00:16 AM, Error: Microsoft-Windows-Windows
Defender [3006] - Windows Defender Real-Time Protection
agent has encountered an error when taking action on
spyware or other potentially unwanted software. For more
information please see the following:
http://go.microsoft.com/fwlink/?
linkid=37020&name=TrojanDownloader:Win32/Renos.KX&thr
eatid=148313 Scan ID: {A60D148A-86BA-4497-84C8-
5A2D84CB18A1} User: first-PC\first Name:
TrojanDownloader:Win32/Renos.KX ID: 148313
Severity ID: 5 Category ID: 4 Path: file:\\?
\E:\ooEEUg.exe Alert Type: Spyware or other
potentially unwanted software Action: Remove Error
Code: 0x80508017 Error description: Some actions
couldn't be applied to potentially harmful items. The items
might be stored in a read-only location. Delete the files or
folders that contains the items or, for information on removing
read-only permissions from files and folders, see Help and
Support.
4/1/2010 12:50:43 PM, Error: Service Control Manager
[7043] - The Windows Update service did not shut down
properly after receiving a preshutdown control.

==== End Of File ===========================


Report •

Related Solutions

#4
April 8, 2010 at 09:55:09

DDS (Ver_10-03-17.01) - NTFSx86
Run by first at 9:49:39.95 on Thu 04/08/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate
6.0.6001.1.1252.1.1033.18.2550.1582 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes
===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k
LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k
LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton
AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k
NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton
AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\first\Documents\downloads\uTorrent.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\first\AppData\Local\Temp\0ehulb80.tmp\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-
aeee-f4628f01010c} - c:\program files\norton
antivirus\engine\17.6.0.32\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-
b7f9-0bbc1d38a37e} -
c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-
4243d8127440} - c:\program
files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440}
- c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Sidebar] c:\program files\windows
sidebar\sidebar.exe /autoRun
uRun: [uTorrent]
"c:\users\first\documents\downloads\uTorrent.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows
Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft
office\office12\GrooveMonitor.exe"
mRun: [avgnt] "c:\program files\avira\antivir
desktop\avgnt.exe" /min
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel -
c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-
E1D6-4330-914C-F5F514E3486C} -
c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -
c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-
3CB6248B04CD} -
c:\progra~1\micros~2\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-
4420-b3ba-52453494e6cd} -
c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS
===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-29
64288]
R0 SymDS;Symantec Data
Store;c:\windows\system32\drivers\nav\1106000.020\symds.
sys [2010-4-7 328752]
R0 SymEFA;Symantec Extended File
Attributes;c:\windows\system32\drivers\nav\1106000.020\sy
mefa.sys [2010-4-7 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-
0f1d-4f28-aaa2-
85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\2010032
4.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash
Provider;c:\windows\system32\drivers\nav\1106000.020\cchp
x86.sys [2010-4-7 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-
0f1d-4f28-aaa2-
85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100402.
001\IDSvix86.sys [2010-4-7 343088]
R1 SymIRON;Symantec Iron
Driver;c:\windows\system32\drivers\nav\1106000.020\ironx86
.sys [2010-4-7 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch
Driver;c:\windows\system32\drivers\nav\1106000.020\symtdiv
.sys [2010-4-7 340016]
R2 AntiVirSchedulerService;Avira AntiVir
Scheduler;c:\program files\avira\antivir desktop\sched.exe
[2010-4-6 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program
files\avira\antivir desktop\avguard.exe [2010-4-6 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys
[2010-4-6 60936]
R2 NAV;Norton AntiVirus;c:\program files\norton
antivirus\engine\17.6.0.32\ccsvchst.exe [2010-4-7 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program
files\common files\symantec
shared\eengine\EraserUtilRebootDrv.sys [2010-4-7 102448]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\lavasoft\ad-aware\AAWService.exe
[2010-2-4 1265264]

=============== Created Last 30 ================

2010-04-08 04:23:07 15944 ----a-w-
c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 04:21:57 0 d-----w-
c:\programdata\Hitman Pro
2010-04-08 04:21:46 0 d-----w- c:\program
files\Hitman Pro 3.5
2010-04-08 03:12:57 805 ----a-w-
c:\windows\system32\drivers\SYMEVENT.INF
2010-04-08 03:12:57 7443 ----a-w-
c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-08 03:12:57 124976 ----a-w-
c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-08 03:12:56 0 d-----w- c:\program
files\Symantec
2010-04-08 03:12:56 0 d-----w- c:\program
files\common files\Symantec Shared
2010-04-08 03:11:40 0 d-----w-
c:\windows\system32\drivers\NAV
2010-04-08 03:11:37 0 d-----w- c:\program
files\Norton AntiVirus
2010-04-08 03:11:36 0 d-----w-
c:\programdata\Norton
2010-04-08 03:11:25 0 d-----w-
c:\programdata\NortonInstaller
2010-04-08 03:11:25 0 d-----w- c:\program
files\NortonInstaller
2010-04-08 00:47:07 3566112 --sha-w-
c:\windows\system32\drivers\fidbox.dat
2010-04-08 00:47:07 32 --sha-w-
c:\windows\system32\drivers\fidbox.idx
2010-04-08 00:37:06 0 d-----w-
c:\programdata\ParetoLogic Anti-Virus PLUS
2010-04-08 00:37:06 0 d-----w-
c:\programdata\ParetoLogic
2010-04-08 00:37:06 0 d-----w- c:\program
files\ParetoLogic
2010-04-08 00:37:06 0 d-----w- c:\program
files\common files\ParetoLogic
2010-04-08 00:02:59 0 d-----w-
c:\programdata\FrontLine Registry Cleaner
2010-04-08 00:02:31 0 d-----w- c:\program
files\FrontLine
2010-04-07 04:48:21 0 d-----w-
c:\users\first\appdata\roaming\Malwarebytes
2010-04-07 04:48:08 0 d-----w-
c:\programdata\Malwarebytes
2010-04-07 04:48:08 0 d-----w- c:\program
files\Malwarebytes' Anti-Malware
2010-04-07 04:25:57 0 d-----w- c:\programdata\Alwil
Software
2010-04-07 04:20:17 0 d-----w- c:\program files\Trend
Micro
2010-04-06 16:14:29 0 d-----w-
c:\users\first\appdata\roaming\Avira
2010-04-06 15:35:40 60936 ----a-w-
c:\windows\system32\drivers\avgntflt.sys
2010-04-06 15:35:39 0 d-----w- c:\programdata\Avira
2010-04-06 15:35:39 0 d-----w- c:\program files\Avira
2010-04-06 13:55:44 112 ----a-w-
c:\programdata\2Rpgg0Q.dat
2010-04-06 00:26:17 0 d-----w- c:\program
files\QuickTime(31)
2010-04-05 18:09:25 95024 ----a-w-
c:\windows\system32\drivers\SBREDrv.sys
2010-04-05 15:17:08 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.
Wdf
2010-03-30 15:21:35 32592 ----a-w-
c:\windows\system32\msonpmon.dll
2010-03-30 15:14:44 0 d-----w-
c:\windows\PCHEALTH
2010-03-30 15:11:49 0 d-----w- c:\program
files\Microsoft Visual Studio 8
2010-03-30 15:10:01 0 d-----w-
c:\programdata\Microsoft Help
2010-03-30 14:01:48 0 d-----w- c:\program
files\VideoLAN
2010-03-30 05:01:10 97800 ----a-w-
c:\windows\system32\infocardapi.dll
2010-03-30 05:01:09 622080 ----a-w-
c:\windows\system32\icardagt.exe
2010-03-30 05:01:09 43544 ----a-w-
c:\windows\system32\PresentationHostProxy.dll
2010-03-30 05:01:09 37384 ----a-w-
c:\windows\system32\infocardcpl.cpl
2010-03-30 05:01:09 11264 ----a-w-
c:\windows\system32\icardres.dll
2010-03-30 05:01:09 105016 ----a-w-
c:\windows\system32\PresentationCFFRasterizerNative_v03
00.dll
2010-03-30 05:01:07 781344 ----a-w-
c:\windows\system32\PresentationNative_v0300.dll
2010-03-30 05:01:05 326160 ----a-w-
c:\windows\system32\PresentationHost.exe
2010-03-30 04:54:58 96760 ----a-w-
c:\windows\system32\dfshim.dll
2010-03-30 04:54:57 282112 ----a-w-
c:\windows\system32\mscoree.dll
2010-03-30 04:54:56 41984 ----a-w-
c:\windows\system32\netfxperf.dll
2010-03-30 04:54:51 158720 ----a-w-
c:\windows\system32\mscorier.dll
2010-03-30 04:54:47 83968 ----a-w-
c:\windows\system32\mscories.dll
2010-03-30 04:53:05 24064 ----a-w-
c:\windows\system32\nshhttp.dll
2010-03-30 04:53:03 411136 ----a-w-
c:\windows\system32\drivers\http.sys
2010-03-30 04:53:03 31232 ----a-w-
c:\windows\system32\httpapi.dll
2010-03-30 03:43:50 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_
00.Wdf
2010-03-30 03:30:38 0 d-----w- c:\users\first\Movie
2010-03-29 18:36:58 15880 ----a-w-
c:\windows\system32\lsdelete.exe
2010-03-29 18:08:25 64288 ----a-w-
c:\windows\system32\drivers\Lbd.sys
2010-03-29 17:57:01 0 dc-h--w-
c:\programdata\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}
2010-03-29 17:56:54 0 d-----w-
c:\programdata\Lavasoft
2010-03-29 17:56:54 0 d-----w- c:\program
files\Lavasoft
2010-03-29 17:47:49 0 d-----w-
c:\windows\system32\appmgmt
2010-03-29 17:33:21 26600 ----a-w-
c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-29 17:33:21 107368 ----a-w-
c:\windows\system32\GEARAspi.dll
2010-03-29 17:32:39 0 d-----w- c:\program files\iPod
2010-03-29 17:32:37 0 d-----w-
c:\programdata\{755AC846-7372-4AC8-8550-
C52491DAA8BD}
2010-03-29 17:32:37 0 d-----w- c:\program
files\iTunes
2010-03-29 17:31:39 0 d-----w- c:\program
files\Bonjour
2010-03-29 16:39:22 0 d-----w- c:\program
files\Ask.com
2010-03-29 16:38:26 0 d-----w-
c:\users\first\appdata\roaming\uTorrent
2010-03-29 16:23:33 12240896 ----a-w-
c:\windows\system32\NlsLexicons0007.dll
2010-03-29 16:23:29 2644480 ----a-w-
c:\windows\system32\NlsLexicons0009.dll
2010-03-29 16:23:20 801280 ----a-w-
c:\windows\system32\NaturalLanguage6.dll
2010-03-29 16:19:49 293376 ----a-w-
c:\windows\system32\wlanmsm.dll
2010-03-29 16:18:55 428544 ----a-w-
c:\windows\system32\EncDec.dll
2010-03-29 16:17:59 3546200 ----a-w-
c:\windows\system32\ntoskrnl.exe
2010-03-29 16:16:57 91136 ----a-w-
c:\windows\system32\avifil32.dll
2010-03-29 16:11:36 212992 ----a-w-
c:\windows\system32\drivers\mrxsmb10.sys
2010-03-29 16:11:36 105472 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2010-03-29 16:11:23 181632 ------w-
c:\windows\system32\MpSigStub.exe
2010-03-29 05:06:09 0 d-----w- c:\windows\Panther
2010-03-29 05:05:52 333203 --sha-r- C:\bootmgr
2010-03-29 05:05:52 0 d-----w- C:\Boot
2010-03-29 05:05:41 171136 --sha-r- C:\GRLDR
2010-03-29 04:19:23 0 d-----w- c:\programdata\Apple
Computer
2010-03-29 04:17:59 0 d-----w- c:\programdata\Apple
2010-03-29 04:17:06 0 d-sh--w- c:\windows\Installer
2010-03-29 04:14:53 2421760 ----a-w-
c:\windows\system32\wucltux.dll
2010-03-29 04:14:42 87552 ----a-w-
c:\windows\system32\wudriver.dll
2010-03-29 04:14:32 33792 ----a-w-
c:\windows\system32\wuapp.exe
2010-03-29 04:14:32 171608 ----a-w-
c:\windows\system32\wuwebv.dll
2010-03-18 04:53:42 94208 ----a-w-
c:\windows\system32\QuickTimeVR.qtx
2010-03-18 04:53:42 69632 ----a-w-
c:\windows\system32\QuickTime.qts

==================== Find3M
====================

2010-04-07 23:51:45 56376 ----a-w-
c:\windows\system32\drivers\partmgr.sys
2010-03-30 13:31:10 665600 ----a-w-
c:\windows\inf\drvindex.dat
2010-03-30 13:31:10 51200 ----a-w-
c:\windows\inf\infpub.dat
2010-03-30 13:31:09 86016 ----a-w-
c:\windows\inf\infstrng.dat
2010-03-30 13:31:09 86016 ----a-w-
c:\windows\inf\infstor.dat
2010-03-09 16:28:40 833024 ----a-w-
c:\windows\system32\wininet.dll
2010-03-09 16:25:21 78336 ----a-w-
c:\windows\system32\ieencode.dll
2010-03-09 14:01:47 26624 ----a-w-
c:\windows\system32\ieUnatt.exe
2010-01-25 12:48:34 472576 ----a-w-
c:\windows\system32\secproc_isv.dll
2010-01-25 12:48:34 151040 ----a-w-
c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48:34 151040 ----a-w-
c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48:06 472064 ----a-w-
c:\windows\system32\secproc.dll
2010-01-25 12:45:56 329216 ----a-w-
c:\windows\system32\msdrm.dll
2010-01-25 08:35:01 346624 ----a-w-
c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 523776 ----a-w-
c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34:56 511488 ----a-w-
c:\windows\system32\RMActivate.exe
2010-01-25 08:34:56 347136 ----a-w-
c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44:02 2048 ----a-w-
c:\windows\system32\tzres.dll
2010-01-14 18:28:20 243024 ----a-w-
c:\windows\system32\LSPInstall.dll
2010-01-14 18:27:14 111960 ----a-w-
c:\windows\system32\INetHTTPFilter.dll
2008-01-21 02:41:56 174 --sha-w- c:\program
files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w-
c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w-
c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w-
c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w-
c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w-
c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w-
c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w-
c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w-
c:\windows\inf\perflib\0000\perfc.dat
2008-04-09 23:35:35 8192 --sha-w-
c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:51:39.06 ===============


Report •

#5
April 8, 2010 at 19:43:41
Go to start> control panel> add/remove programs and uninstall these programs as they are known to harbor spyware:


utorrent
Ask Toolbar


Next you have move that one antivirus programs installed which is not a good idea as they will conflict and cause you problems. You need to decide which one you want to keep and uninstall the other one.

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your Nortons or Avira antivirus, Windows Defender, and Ad-Aware and any other realtime antispyware programs that you may have must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#6
April 8, 2010 at 21:54:04
ComboFix 10-04-08.02 - first 04/08/2010 21:33:46.2.2 - x86
Microsoft® Windows Vista™ Ultimate
6.0.6001.1.1252.1.1033.18.2550.1587 [GMT -7:00]
Running from: C:\Users\first\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-
04-09 )))))))))))))))))))))))))))))))
.

2010-04-09 04:42:40 . 2010-04-09 04:42:40 -------- d-----
w- C:\Users\Default\AppData\Local\temp
2010-04-09 01:54:08 . 2009-08-29 09:00:00 1647984 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\NAVEX32A.DLL
2010-04-09 01:54:07 . 2010-04-08 03:26:12 1324720 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\NAVEX15.SYS
2010-04-09 01:54:07 . 2010-04-08 03:26:11 84912 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\NAVENG.SYS
2010-04-09 01:54:07 . 2010-04-08 03:26:03 2747440 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\CCERASER.DLL
2010-04-09 01:54:07 . 2010-04-08 03:26:03 259440 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\ECMSVR32.DLL
2010-04-09 01:54:07 . 2009-08-29 09:00:00 371248 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\EECTRL.SYS
2010-04-09 01:54:07 . 2009-08-29 09:00:00 177520 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\NAVENG32.DLL
2010-04-09 01:54:07 . 2009-08-29 09:00:00 102448 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0408.032\ERASER.SYS
2010-04-08 18:08:45 . 2010-04-08 18:08:45 598368 ----a-
w- C:\ProgramData\Lavasoft\Ad-
Aware\Update\EmailScanner.dll
2010-04-08 04:23:07 . 2010-04-08 16:05:42 15944 ----a-
w- C:\Windows\system32\drivers\hitmanpro35.sys
2010-04-08 04:21:57 . 2010-04-08 04:21:58 -------- d-----
w- C:\ProgramData\Hitman Pro
2010-04-08 04:21:46 . 2010-04-08 04:21:46 -------- d-----
w- C:\Program Files\Hitman Pro 3.5
2010-04-08 03:30:39 . 2009-10-28 22:37:21 811896 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\Scxpx86.dll
2010-04-08 03:30:38 . 2009-10-28 22:37:22 343088 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSvix86.sys
2010-04-08 03:30:38 . 2009-10-28 22:37:22 329592 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSXpx86.sys
2010-04-08 03:30:38 . 2009-10-28 22:37:21 488312 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSxpx86.dll
2010-04-08 03:30:38 . 2009-10-28 22:37:21 466992 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSviA64.sys
2010-04-08 03:12:57 . 2010-04-08 03:12:56 124976 ----a-
w- C:\Windows\system32\drivers\SYMEVENT.SYS
2010-04-08 03:12:56 . 2010-04-08 03:15:48 -------- d-----
w- C:\Program Files\Common Files\Symantec Shared
2010-04-08 03:12:56 . 2010-04-08 03:12:58 -------- d-----
w- C:\Program Files\Symantec
2010-04-08 03:12:28 . 2009-08-30 00:16:46 164216 ----a-
r- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IP
SFFPl.dll
2010-04-08 03:12:27 . 2009-08-26 22:13:12 900464 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\OCS\hsplayer.dll
2010-04-08 03:12:15 . 2009-09-01 09:02:30 893296 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\CLT\cltLMSx.dll
2010-04-08 03:11:40 . 2010-04-08 15:25:15 -------- d-----
w- C:\Windows\system32\drivers\NAV
2010-04-08 03:11:37 . 2010-04-08 03:11:40 -------- d-----
w- C:\Program Files\Norton AntiVirus
2010-04-08 03:11:36 . 2010-04-08 03:14:03 -------- d-----
w- C:\ProgramData\Norton
2010-04-08 03:11:25 . 2010-04-08 03:11:33 -------- d-----
w- C:\ProgramData\NortonInstaller
2010-04-08 03:11:25 . 2010-04-08 03:11:25 -------- d-----
w- C:\Program Files\NortonInstaller
2010-04-08 00:47:47 . 2010-04-08 00:47:47 125952 ----a-
w- C:\ProgramData\ParetoLogic\UUS2\Temp\Update.exe
2010-04-08 00:47:07 . 2010-04-08 03:35:19 3566112 --
sha-w- C:\Windows\system32\drivers\fidbox.dat
2010-04-08 00:37:06 . 2010-04-08 00:37:07 -------- d-----
w- C:\ProgramData\ParetoLogic Anti-Virus PLUS
2010-04-08 00:37:06 . 2010-04-08 00:37:07 -------- d-----
w- C:\ProgramData\ParetoLogic
2010-04-08 00:37:06 . 2010-04-08 00:37:07 -------- d-----
w- C:\Program Files\Common Files\ParetoLogic
2010-04-08 00:37:06 . 2010-04-08 00:37:06 -------- d-----
w- C:\Program Files\ParetoLogic
2010-04-08 00:35:03 . 2010-04-08 00:35:03 -------- d-----
w- C:\Users\first\AppData\Local\Downloaded Installations
2010-04-08 00:02:59 . 2010-04-08 00:02:59 -------- d-----
w- C:\ProgramData\FrontLine Registry Cleaner
2010-04-08 00:02:31 . 2010-04-08 00:02:31 -------- d-----
w- C:\Program Files\FrontLine
2010-04-07 17:05:46 . 2010-04-07 17:09:44 680 ----a-w-
C:\Users\first\AppData\Local\d3d9caps.dat
2010-04-07 04:48:21 . 2010-04-07 04:48:21 -------- d-----
w- C:\Users\first\AppData\Roaming\Malwarebytes
2010-04-07 04:48:08 . 2010-04-07 04:48:15 -------- d-----
w- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-07 04:48:08 . 2010-04-07 04:48:08 -------- d-----
w- C:\ProgramData\Malwarebytes
2010-04-07 04:25:57 . 2010-04-07 04:25:57 -------- d-----
w- C:\ProgramData\Alwil Software
2010-04-07 04:25:57 . 2010-04-07 04:25:57 -------- d-----
w- C:\Program Files\Alwil Software
2010-04-07 04:20:17 . 2010-04-07 04:20:17 -------- d-----
w- C:\Program Files\Trend Micro
2010-04-07 03:50:31 . 2010-04-07 23:38:18 -------- d-----
w- C:\Users\first\AppData\Local\temp(42)
2010-04-06 17:09:17 . 2010-04-06 17:09:17 -------- d-----
w- C:\Users\first\AppData\Local\Microsoft Games
2010-04-06 16:14:29 . 2010-04-06 16:14:29 -------- d-----
w- C:\Users\first\AppData\Roaming\Avira
2010-04-06 15:35:40 . 2010-03-01 16:05:24 124784 ----a-
w- C:\Windows\system32\drivers\avipbb.sys
2010-04-06 15:35:40 . 2010-02-16 20:24:01 60936 ----a-
w- C:\Windows\system32\drivers\avgntflt.sys
2010-04-06 15:35:40 . 2009-05-11 18:49:28 51992 ----a-
w- C:\Windows\system32\drivers\avgntdd.sys
2010-04-06 15:35:40 . 2009-05-11 18:49:28 17016 ----a-
w- C:\Windows\system32\drivers\avgntmgr.sys
2010-04-06 15:35:39 . 2010-04-06 15:35:39 -------- d-----
w- C:\ProgramData\Avira
2010-04-06 15:35:39 . 2010-04-06 15:35:39 -------- d-----
w- C:\Program Files\Avira
2010-04-06 00:26:17 . 2010-04-07 23:51:23 -------- d-----
w- C:\Program Files\QuickTime
2010-04-06 00:26:17 . 2010-04-06 15:47:38 -------- d-----
w- C:\Program Files\QuickTime(31)
2010-04-05 18:08:56 . 2010-04-08 18:08:41 966104 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-05 18:08:55 . 2010-04-05 18:08:55 849744 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\Ad-
AwareCommand.exe
2010-04-05 18:08:54 . 2010-04-05 18:08:55 855864 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\Ad-
AwareAdmin.exe
2010-04-05 18:08:53 . 2010-04-05 18:08:54 1597952 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\Ad-
Aware.exe
2010-04-05 18:08:52 . 2010-04-05 18:08:53 818256 ----a-
w- C:\ProgramData\Lavasoft\Ad-
Aware\Update\AAWTray.exe
2010-04-05 18:08:51 . 2010-04-08 18:08:40 1265264 ----a-
w- C:\ProgramData\Lavasoft\Ad-
Aware\Update\AAWService.exe
2010-03-30 15:21:36 . 2006-10-27 02:56:12 33104 ----a-
w-
C:\Windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-03-30 15:21:35 . 2006-10-27 02:56:10 32592 ----a-
w- C:\Windows\system32\msonpmon.dll
2010-03-30 15:16:22 . 2010-03-30 15:16:23 -------- d-----
w- C:\Program Files\Microsoft Works
2010-03-30 15:14:44 . 2010-03-30 15:14:44 -------- d-----
w- C:\Windows\PCHEALTH
2010-03-30 15:14:44 . 2010-03-30 15:14:44 -------- d-----
w- C:\Program Files\Microsoft.NET
2010-03-30 15:11:49 . 2010-03-30 15:11:51 -------- d-----
w- C:\Program Files\Microsoft Visual Studio 8
2010-03-30 15:10:15 . 2010-03-30 15:10:15 -------- d-----
w- C:\Users\first\AppData\Local\Microsoft Help
2010-03-30 15:10:01 . 2010-03-30 15:22:47 -------- d-----
w- C:\ProgramData\Microsoft Help
2010-03-30 15:06:25 . 2010-03-30 15:06:25 -------- d-----
r- C:\MSOCache
2010-03-30 14:12:49 . 2010-04-07 23:51:25 -------- d-----
w- C:\Users\first\AppData\Roaming\vlc
2010-03-30 14:01:48 . 2010-03-30 14:01:48 -------- d-----
w- C:\Program Files\VideoLAN
2010-03-30 05:01:10 . 2008-06-20 01:14:34 97800 ----a-
w- C:\Windows\system32\infocardapi.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:45 43544 ----a-
w- C:\Windows\system32\PresentationHostProxy.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:45 105016 ----a-
w-
C:\Windows\system32\PresentationCFFRasterizerNative_v0
300.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:34 11264 ----a-
w- C:\Windows\system32\icardres.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:33 622080 ----a-
w- C:\Windows\system32\icardagt.exe
2010-03-30 05:01:07 . 2008-06-20 01:14:45 781344 ----a-
w- C:\Windows\system32\PresentationNative_v0300.dll
2010-03-30 05:01:05 . 2008-06-20 01:14:45 326160 ----a-
w- C:\Windows\system32\PresentationHost.exe
2010-03-30 04:54:58 . 2008-07-27 18:03:16 96760 ----a-
w- C:\Windows\system32\dfshim.dll
2010-03-30 04:54:57 . 2008-07-27 18:03:17 282112 ----a-
w- C:\Windows\system32\mscoree.dll
2010-03-30 04:54:56 . 2008-07-27 18:03:17 41984 ----a-
w- C:\Windows\system32\netfxperf.dll
2010-03-30 04:54:51 . 2008-07-27 18:03:17 158720 ----a-
w- C:\Windows\system32\mscorier.dll
2010-03-30 04:54:47 . 2008-07-27 18:03:17 83968 ----a-
w- C:\Windows\system32\mscories.dll
2010-03-30 04:53:05 . 2010-02-20 23:39:35 24064 ----a-
w- C:\Windows\system32\nshhttp.dll
2010-03-30 04:53:03 . 2010-02-20 23:37:20 31232 ----a-
w- C:\Windows\system32\httpapi.dll
2010-03-30 04:53:03 . 2010-02-20 21:18:40 411136 ----a-
w- C:\Windows\system32\drivers\http.sys
2010-03-30 03:30:38 . 2010-03-30 15:07:41 -------- d-----
w- C:\Users\first\Movie
2010-03-29 18:36:58 . 2010-04-05 18:09:21 15880 ----a-
w- C:\Windows\system32\lsdelete.exe
2010-03-29 18:08:25 . 2010-02-04 15:53:02 64288 ----a-
w- C:\Windows\system32\drivers\Lbd.sys
2010-03-29 17:57:01 . 2010-03-29 17:57:01 -------- dc-h-
-w- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}
2010-03-29 17:57:01 . 2010-02-04 15:53:47 2954656 -c--a-
w- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-29 17:56:54 . 2010-03-29 18:08:18 -------- d-----
w- C:\ProgramData\Lavasoft
2010-03-29 17:56:54 . 2010-03-29 17:57:04 -------- d-----
w- C:\Program Files\Lavasoft
2010-03-29 17:33:21 . 2009-05-18 21:17:00 26600 ----a-
w- C:\Windows\system32\drivers\GEARAspiWDM.sys
2010-03-29 17:33:21 . 2008-04-17 20:12:54 107368 ----a-
w- C:\Windows\system32\GEARAspi.dll
2010-03-29 17:33:20 . 2010-03-29 18:08:25 -------- dc----
w- C:\Windows\system32\DRVSTORE
2010-03-29 17:32:39 . 2010-03-29 17:32:39 -------- d-----
w- C:\Program Files\iPod
2010-03-29 17:32:37 . 2010-04-07 23:52:22 -------- d-----
w- C:\Program Files\iTunes
2010-03-29 17:32:37 . 2010-03-29 17:33:20 -------- d-----
w- C:\ProgramData\{755AC846-7372-4AC8-8550-
C52491DAA8BD}
2010-03-29 17:31:39 . 2010-03-29 17:31:39 -------- d-----
w- C:\Program Files\Bonjour
2010-03-29 16:39:22 . 2010-04-07 23:51:20 -------- d-----
w- C:\Program Files\Ask.com
2010-03-29 16:38:26 . 2010-04-09 04:29:14 -------- d-----
w- C:\Users\first\AppData\Roaming\uTorrent
2010-03-29 16:23:33 . 2008-06-26 01:45:43 12240896 ----a-
w- C:\Windows\system32\NlsLexicons0007.dll
2010-03-29 16:23:29 . 2008-06-26 01:45:55 2644480 ----a-
w- C:\Windows\system32\NlsLexicons0009.dll
2010-03-29 16:23:20 . 2008-06-26 03:29:06 801280 ----a-
w- C:\Windows\system32\NaturalLanguage6.dll
2010-03-29 16:19:49 . 2009-07-11 19:32:52 293376 ----a-
w- C:\Windows\system32\wlanmsm.dll
2010-03-29 16:18:55 . 2009-08-31 13:55:46 428544 ----a-
w- C:\Windows\system32\EncDec.dll
2010-03-29 16:17:59 . 2009-12-08 20:52:16 3546200 ----a-
w- C:\Windows\system32\ntoskrnl.exe
2010-03-29 16:16:57 . 2009-12-28 12:35:50 11776 ----a-
w- C:\Windows\system32\tsbyuv.dll
2010-03-29 16:11:36 . 2009-12-04 16:12:58 212992 ----a-
w- C:\Windows\system32\drivers\mrxsmb10.sys
2010-03-29 16:11:36 . 2009-12-04 16:12:51 105472 ----a-
w- C:\Windows\system32\drivers\mrxsmb.sys
2010-03-29 16:11:23 . 2010-02-24 17:16:06 181632 ------
w- C:\Windows\system32\MpSigStub.exe
2010-03-29 05:06:09 . 2010-03-29 04:11:59 -------- d-----
w- C:\Windows\Panther
2010-03-29 05:05:52 . 2010-03-29 05:05:52 -------- d-----
w- C:\Boot
2010-03-29 04:21:10 . 2010-03-29 04:21:10 -------- d-----
w- C:\Windows\system32\Macromed
2010-03-29 04:19:56 . 2010-04-02 14:21:59 -------- d-----
w- C:\Users\first\AppData\Roaming\Apple Computer
2010-03-29 04:19:56 . 2010-03-31 14:39:25 -------- d-----
w- C:\Users\first\AppData\Local\Apple Computer
2010-03-29 04:19:23 . 2010-04-07 04:19:42 -------- d-----
w- C:\Program Files\Safari
2010-03-29 04:19:23 . 2010-03-29 17:32:37 -------- d-----
w- C:\ProgramData\Apple Computer
2010-03-29 04:18:11 . 2010-03-29 17:32:38 -------- d-----
w- C:\Program Files\Common Files\Apple
2010-03-29 04:18:02 . 2010-03-29 04:18:02 -------- d-----
w- C:\Users\first\AppData\Local\Apple
2010-03-29 04:17:59 . 2010-03-30 03:43:36 -------- d-----
w- C:\ProgramData\Apple
2010-03-29 04:17:59 . 2010-03-29 04:18:00 -------- d-----
w- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 03:12:56 . 2010-04-08 03:12:57 805 ----a-w-
C:\Windows\system32\drivers\SYMEVENT.INF
2010-04-08 03:12:56 . 2010-04-08 03:12:57 7443 ----a-w-
C:\Windows\system32\drivers\SYMEVENT.CAT
2010-04-08 00:47:29 . 2010-04-08 00:47:07 32 --sha-w-
C:\Windows\system32\drivers\fidbox.idx
2010-04-07 23:51:45 . 2008-01-21 02:22:51 56376 ----a-
w- C:\Windows\system32\drivers\partmgr.sys
2010-04-06 13:57:55 . 2010-04-06 13:55:44 112 ----a-w-
C:\ProgramData\2Rpgg0Q.dat
2010-04-05 15:17:08 . 2010-04-05 15:17:08 0 ---ha-w-
C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.
Wdf
2010-03-30 15:16:08 . 2006-11-02 12:35:50 -------- d-----
w- C:\Program Files\MSBuild
2010-03-30 13:32:55 . 2006-11-02 11:18:33 -------- d-----
w- C:\Program Files\Windows Mail
2010-03-30 13:31:10 . 2006-11-02 10:25:05 665600 ----a-
w- C:\Windows\inf\drvindex.dat
2010-03-30 03:43:50 . 2010-03-30 03:43:50 0 ---ha-w-
C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00
_00.Wdf
2010-03-09 16:28:40 . 2010-03-30 23:56:53 833024 ----a-
w- C:\Windows\system32\wininet.dll
2010-03-09 16:25:21 . 2010-03-30 23:56:50 78336 ----a-
w- C:\Windows\system32\ieencode.dll
2010-03-09 14:01:47 . 2010-03-30 23:56:50 26624 ----a-
w- C:\Windows\system32\ieUnatt.exe
2010-03-04 11:00:34 . 2010-03-04 11:00:34 79144 ----a-
w- C:\ProgramData\Apple Computer\Installer Cache\Safari
5.31.22.7\SetupAdmin.exe
2010-02-16 01:41:46 . 2010-02-16 01:41:46 72488 ----a-
w- C:\ProgramData\Apple Computer\Installer
Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-25 12:48:34 . 2010-03-29 16:17:35 472576 ----a-
w- C:\Windows\system32\secproc_isv.dll
2010-01-25 12:48:34 . 2010-03-29 16:17:35 151040 ----a-
w- C:\Windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48:34 . 2010-03-29 16:17:35 151040 ----a-
w- C:\Windows\system32\secproc_ssp.dll
2010-01-25 12:48:06 . 2010-03-29 16:17:35 472064 ----a-
w- C:\Windows\system32\secproc.dll
2010-01-25 12:45:56 . 2010-03-29 16:17:35 329216 ----a-
w- C:\Windows\system32\msdrm.dll
2010-01-25 08:35:01 . 2010-03-29 16:17:35 346624 ----a-
w- C:\Windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 . 2010-03-29 16:17:36 523776 ----a-
w- C:\Windows\system32\RMActivate_isv.exe
2010-01-25 08:34:56 . 2010-03-29 16:17:36 511488 ----a-
w- C:\Windows\system32\RMActivate.exe
2010-01-25 08:34:56 . 2010-03-29 16:17:35 347136 ----a-
w- C:\Windows\system32\RMActivate_ssp.exe
2010-01-23 09:44:02 . 2010-03-29 16:18:42 2048 ----a-w-
C:\Windows\system32\tzres.dll
2010-01-14 18:28:20 . 2010-01-14 18:28:20 243024 ----a-
w- C:\Windows\system32\LSPInstall.dll
2010-01-14 18:27:14 . 2010-01-14 18:27:14 111960 ----a-
w- C:\Windows\system32\INetHTTPFilter.dll
2008-04-09 23:35:35 . 2008-04-09 23:35:33 8192 --sha-w-
C:\Windows\Users\Default\NTUSER.DAT
.
[code]

C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor 
.exe
C:\Program Files\QuickTime\QTTask .exe
[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50:26 1197448 ----a-w- C:\Program
Files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=
"C:\Program Files\Ask.com\GenericAskToolbar.dll" [2010-
02-04 23:50:26 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-
4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1
]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-
893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=
"C:\Program Files\Ask.com\GenericAskToolbar.dll" [2010-
02-04 23:50:26 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-
4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1
]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-
893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe"
[2008-01-21 02:21:38 1233920]
"uTorrent"="C:\Users\first\Documents\downloads\uTorrent.ex
e" [2010-03-29 16:39:14 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows
Defender\MSASCui.exe" [2008-01-21 02:21:41 1008184]
"GrooveMonitor"="C:\Program Files\Microsoft
Office\Office12\GrooveMonitor.exe" [N/A]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe"
[2010-03-02 17:28:31 282792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curre
ntversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\WinDefend]
@="Service"

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;C:\Program Files\Lavasoft\Ad-
Aware\AAWService.exe [2010-04-08 18:08:40 1265264]
S0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys [2010-
02-04 15:53:02 64288]
S0 SymDS;Symantec Data
Store;C:\Windows\system32\drivers\NAV\1106000.020\SYM
DS.SYS [2009-08-30 00:17:18 328752]
S0 SymEFA;Symantec Extended File
Attributes;C:\Windows\system32\drivers\NAV\1106000.020\
SYMEFA.SYS [2010-02-04 01:40:50 172592]
S1 BHDrvx86;BHDrvx86;C:\ProgramData\Norton\{0C55C096-
0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\201
00324.001\BHDrvx86.sys [2010-03-25 03:40:18 536112]
S1 ccHP;Symantec Hash
Provider;C:\Windows\system32\drivers\NAV\1106000.020\cc
HPx86.sys [2010-02-25 23:22:57 501888]
S1 IDSVix86;IDSVix86;C:\ProgramData\Norton\{0C55C096-
0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSvix86.sys [2009-10-28 22:37:22 343088]
S1 SymIRON;Symantec Iron
Driver;C:\Windows\system32\drivers\NAV\1106000.020\Ironx
86.SYS [2010-02-27 02:23:54 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch
Driver;C:\Windows\System32\Drivers\NAV\1106000.020\SY
MTDIV.SYS [2010-02-04 01:40:52 340016]
S2 AntiVirSchedulerService;Avira AntiVir
Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe
[2010-02-24 16:28:09 135336]
S2 NAV;Norton AntiVirus;C:\Program Files\Norton
AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25
23:21:50 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program
Files\Common Files\Symantec
Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29
09:00:00 102448]

.
Contents of the 'Scheduled Tasks' folder

2010-04-08 C:\Windows\Tasks\ParetoLogic Registration.job
- C:\Program Files\Common
Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 19:25:18 .
2008-02-22 19:25:18]

2010-04-08 C:\Windows\Tasks\User_Feed_Synchronization-
{9F8C095C-013A-464E-BA8E-668C5D90767D}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-21
02:23:00 . 2008-01-21 02:23:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel -
C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-OEMInformation - C:\Windows\oem_uninst.exe


Report •

#7
April 9, 2010 at 12:15:54
Did you uninsatall utorrent and ask toolbar then remove one of the av's and how is the computer operating?

Report •

#8
April 9, 2010 at 16:58:15
ok well i uninstalled utorrent (by the way is this permanent
cause i used utorrent to download torrents so what now?)
and i uninstalled asktoolbar
computer doing alright but norton tells me a lot that i keep
getting attacks blocked
oh what av do i remove or what free one do you want me to use

Report •

#9
April 9, 2010 at 18:53:16
The blocks are normal for a firewall and some av's let you know when they prevent a virus from infecting the computer. You can change the setting to not inform you as it does not help you to know this info.

If the computer is running ok there is np need to do anything else. As I said earlier utorrent and ask toolbar either have spyware in them or install it either way the send info about your browsing to someone somewhere and it was having an effect on your computer. Reinstalling it may be a bad idea...up to you.


Report •

#10
April 9, 2010 at 21:25:34
ok so as far as i can tell google redirect is gone but.....pop ups
seem to be a small problem.......ad aware finds some cookies
but im not sure if that fixes it

and also what free antivirus would you reccomend

thank you for all your help


Report •

#11
April 9, 2010 at 22:36:00
ok so its still here redirect again so are pop ups

but i did review everything and no utorrent and ask toolbar
please help me again
thanks


Report •

#12
April 10, 2010 at 06:18:53
AVG or Avast are both great. I you uninstall Norton you will need to run their uninstall tool.


Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
RenV::
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor
.exe
C:\Program Files\QuickTime\QTTask .exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#13
April 10, 2010 at 12:58:34
ComboFix 10-04-10.01 - first 04/10/2010 12:35:27.4.2 - x86
Microsoft® Windows Vista™ Ultimate
6.0.6001.1.1252.1.1033.18.2550.1557 [GMT -7:00]
Running from: C:\Users\first\Desktop\combofix.exe
Command switches used ::
C:\Users\first\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\klgd.bmp

.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-
04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 19:43:36 . 2010-04-10 19:45:21 -------- d-----
w- C:\Users\first\AppData\Local\temp
2010-04-10 19:43:36 . 2010-04-10 19:43:36 -------- d-----
w- C:\Users\Default\AppData\Local\temp
2010-04-10 15:21:56 . 2010-04-10 05:11:01 84912 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVENG.SYS
2010-04-10 15:21:56 . 2010-04-10 05:11:01 1324720 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVEX15.SYS
2010-04-10 15:21:56 . 2009-08-29 09:00:00 177520 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVENG32.DLL
2010-04-10 15:21:56 . 2009-08-29 09:00:00 1647984 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVEX32A.DLL
2010-04-10 15:21:55 . 2010-04-10 05:11:00 2747440 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\CCERASER.DLL
2010-04-10 15:21:55 . 2010-04-10 05:11:00 259440 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\ECMSVR32.DLL
2010-04-10 15:21:55 . 2009-08-29 09:00:00 371248 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\EECTRL.SYS
2010-04-10 15:21:55 . 2009-08-29 09:00:00 102448 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\ERASER.SYS
2010-04-10 05:12:22 . 2009-10-28 22:37:22 343088 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSvix86.sys
2010-04-10 05:12:22 . 2009-10-28 22:37:22 329592 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSXpx86.sys
2010-04-10 05:12:22 . 2009-10-28 22:37:21 811896 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\Scxpx86.dll
2010-04-10 05:12:22 . 2009-10-28 22:37:21 488312 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSxpx86.dll
2010-04-10 05:12:22 . 2009-10-28 22:37:21 466992 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSviA64.sys
2010-04-10 05:08:24 . 2009-08-30 00:16:46 164216 ----a-
r- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IP
SFFPl.dll
2010-04-10 05:07:36 . 2010-04-10 05:07:34 124976 ----a-
w- C:\Windows\system32\drivers\SYMEVENT.SYS
2010-04-10 05:07:34 . 2010-04-10 05:13:04 -------- d-----
w- C:\Program Files\Common Files\Symantec Shared
2010-04-10 05:07:34 . 2010-04-10 05:07:36 -------- d-----
w- C:\Program Files\Symantec
2010-04-10 05:07:13 . 2009-08-26 22:13:12 900464 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\OCS\hsplayer.dll
2010-04-10 05:07:11 . 2009-09-01 09:02:30 893296 ----a-
w- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\CLT\cltLMSx.dll
2010-04-10 05:07:00 . 2010-04-10 19:12:38 -------- d-----
w- C:\Windows\system32\drivers\NAV
2010-04-10 05:06:57 . 2010-04-10 05:07:00 -------- d-----
w- C:\Program Files\Norton AntiVirus
2010-04-10 05:06:41 . 2010-04-10 05:06:41 -------- d-----
w- C:\Program Files\NortonInstaller
2010-04-10 00:26:45 . 2010-04-10 00:26:45 46080 ----a-
w- C:\Windows\system32\yzud.dll
2010-04-10 00:20:59 . 2010-04-10 00:20:59 -------- d-----
w- C:\Program Files\AVG
2010-04-08 18:08:45 . 2010-04-08 18:08:45 598368 ----a-
w- C:\ProgramData\Lavasoft\Ad-
Aware\Update\EmailScanner.dll
2010-04-08 04:23:07 . 2010-04-09 23:45:03 15944 ----a-
w- C:\Windows\system32\drivers\hitmanpro35.sys
2010-04-08 04:21:57 . 2010-04-08 04:21:58 -------- d-----
w- C:\ProgramData\Hitman Pro
2010-04-08 04:21:46 . 2010-04-08 04:21:46 -------- d-----
w- C:\Program Files\Hitman Pro 3.5
2010-04-08 03:11:36 . 2010-04-10 05:06:57 -------- d-----
w- C:\ProgramData\Norton
2010-04-08 03:11:25 . 2010-04-10 05:06:45 -------- d-----
w- C:\ProgramData\NortonInstaller
2010-04-08 00:47:47 . 2010-04-08 00:47:47 125952 ----a-
w- C:\ProgramData\ParetoLogic\UUS2\Temp\Update.exe
2010-04-08 00:47:07 . 2010-04-08 03:35:19 3566112 --
sha-w- C:\Windows\system32\drivers\fidbox.dat
2010-04-08 00:37:06 . 2010-04-10 00:07:14 -------- d-----
w- C:\ProgramData\ParetoLogic
2010-04-08 00:37:06 . 2010-04-10 00:07:14 -------- d-----
w- C:\Program Files\Common Files\ParetoLogic
2010-04-08 00:35:03 . 2010-04-08 00:35:03 -------- d-----
w- C:\Users\first\AppData\Local\Downloaded Installations
2010-04-08 00:02:59 . 2010-04-08 00:02:59 -------- d-----
w- C:\ProgramData\FrontLine Registry Cleaner
2010-04-08 00:02:31 . 2010-04-08 00:02:31 -------- d-----
w- C:\Program Files\FrontLine
2010-04-07 17:05:46 . 2010-04-07 17:09:44 680 ----a-w-
C:\Users\first\AppData\Local\d3d9caps.dat
2010-04-07 04:48:21 . 2010-04-07 04:48:21 -------- d-----
w- C:\Users\first\AppData\Roaming\Malwarebytes
2010-04-07 04:48:08 . 2010-04-07 04:48:15 -------- d-----
w- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-07 04:48:08 . 2010-04-07 04:48:08 -------- d-----
w- C:\ProgramData\Malwarebytes
2010-04-07 04:25:57 . 2010-04-07 04:25:57 -------- d-----
w- C:\ProgramData\Alwil Software
2010-04-07 04:25:57 . 2010-04-07 04:25:57 -------- d-----
w- C:\Program Files\Alwil Software
2010-04-07 04:20:17 . 2010-04-07 04:20:17 -------- d-----
w- C:\Program Files\Trend Micro
2010-04-07 03:50:31 . 2010-04-07 23:38:18 -------- d-----
w- C:\Users\first\AppData\Local\temp(42)
2010-04-06 17:09:17 . 2010-04-06 17:09:17 -------- d-----
w- C:\Users\first\AppData\Local\Microsoft Games
2010-04-06 00:26:17 . 2010-04-07 23:51:23 -------- d-----
w- C:\Program Files\QuickTime
2010-04-06 00:26:17 . 2010-04-06 15:47:38 -------- d-----
w- C:\Program Files\QuickTime(31)
2010-04-05 18:08:56 . 2010-04-08 18:08:41 966104 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-05 18:08:55 . 2010-04-05 18:08:55 849744 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\Ad-
AwareCommand.exe
2010-04-05 18:08:54 . 2010-04-05 18:08:55 855864 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\Ad-
AwareAdmin.exe
2010-04-05 18:08:53 . 2010-04-05 18:08:54 1597952 ----a-
w- C:\ProgramData\Lavasoft\Ad-Aware\Update\Ad-
Aware.exe
2010-04-05 18:08:52 . 2010-04-05 18:08:53 818256 ----a-
w- C:\ProgramData\Lavasoft\Ad-
Aware\Update\AAWTray.exe
2010-04-05 18:08:51 . 2010-04-08 18:08:40 1265264 ----a-
w- C:\ProgramData\Lavasoft\Ad-
Aware\Update\AAWService.exe
2010-03-30 15:21:36 . 2006-10-27 02:56:12 33104 ----a-
w-
C:\Windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-03-30 15:21:35 . 2006-10-27 02:56:10 32592 ----a-
w- C:\Windows\system32\msonpmon.dll
2010-03-30 15:16:22 . 2010-03-30 15:16:23 -------- d-----
w- C:\Program Files\Microsoft Works
2010-03-30 15:14:44 . 2010-03-30 15:14:44 -------- d-----
w- C:\Windows\PCHEALTH
2010-03-30 15:14:44 . 2010-03-30 15:14:44 -------- d-----
w- C:\Program Files\Microsoft.NET
2010-03-30 15:11:49 . 2010-03-30 15:11:51 -------- d-----
w- C:\Program Files\Microsoft Visual Studio 8
2010-03-30 15:10:15 . 2010-03-30 15:10:15 -------- d-----
w- C:\Users\first\AppData\Local\Microsoft Help
2010-03-30 15:10:01 . 2010-03-30 15:22:47 -------- d-----
w- C:\ProgramData\Microsoft Help
2010-03-30 15:06:25 . 2010-03-30 15:06:25 -------- d-----
r- C:\MSOCache
2010-03-30 14:12:49 . 2010-04-10 04:55:22 -------- d-----
w- C:\Users\first\AppData\Roaming\vlc
2010-03-30 14:01:48 . 2010-03-30 14:01:48 -------- d-----
w- C:\Program Files\VideoLAN
2010-03-30 05:01:10 . 2008-06-20 01:14:34 97800 ----a-
w- C:\Windows\system32\infocardapi.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:45 43544 ----a-
w- C:\Windows\system32\PresentationHostProxy.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:45 105016 ----a-
w-
C:\Windows\system32\PresentationCFFRasterizerNative_v0
300.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:34 11264 ----a-
w- C:\Windows\system32\icardres.dll
2010-03-30 05:01:09 . 2008-06-20 01:14:33 622080 ----a-
w- C:\Windows\system32\icardagt.exe
2010-03-30 05:01:07 . 2008-06-20 01:14:45 781344 ----a-
w- C:\Windows\system32\PresentationNative_v0300.dll
2010-03-30 05:01:05 . 2008-06-20 01:14:45 326160 ----a-
w- C:\Windows\system32\PresentationHost.exe
2010-03-30 04:54:58 . 2008-07-27 18:03:16 96760 ----a-
w- C:\Windows\system32\dfshim.dll
2010-03-30 04:54:57 . 2008-07-27 18:03:17 282112 ----a-
w- C:\Windows\system32\mscoree.dll
2010-03-30 04:54:56 . 2008-07-27 18:03:17 41984 ----a-
w- C:\Windows\system32\netfxperf.dll
2010-03-30 04:54:51 . 2008-07-27 18:03:17 158720 ----a-
w- C:\Windows\system32\mscorier.dll
2010-03-30 04:54:47 . 2008-07-27 18:03:17 83968 ----a-
w- C:\Windows\system32\mscories.dll
2010-03-30 04:53:05 . 2010-02-20 23:39:35 24064 ----a-
w- C:\Windows\system32\nshhttp.dll
2010-03-30 04:53:03 . 2010-02-20 23:37:20 31232 ----a-
w- C:\Windows\system32\httpapi.dll
2010-03-30 04:53:03 . 2010-02-20 21:18:40 411136 ----a-
w- C:\Windows\system32\drivers\http.sys
2010-03-30 03:30:38 . 2010-04-10 04:56:58 -------- d-----
w- C:\Users\first\Movie
2010-03-29 18:36:58 . 2010-04-05 18:09:21 15880 ----a-
w- C:\Windows\system32\lsdelete.exe
2010-03-29 18:08:25 . 2010-02-04 15:53:02 64288 ----a-
w- C:\Windows\system32\drivers\Lbd.sys
2010-03-29 17:57:01 . 2010-03-29 17:57:01 -------- dc-h-
-w- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}
2010-03-29 17:57:01 . 2010-02-04 15:53:47 2954656 -c--a-
w- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-29 17:56:54 . 2010-03-29 18:08:18 -------- d-----
w- C:\ProgramData\Lavasoft
2010-03-29 17:56:54 . 2010-03-29 17:57:04 -------- d-----
w- C:\Program Files\Lavasoft
2010-03-29 17:33:20 . 2010-04-10 05:01:22 -------- dc----
w- C:\Windows\system32\DRVSTORE
2010-03-29 17:32:37 . 2010-04-10 19:35:15 -------- d-----
w- C:\Program Files\iTunes
2010-03-29 17:32:37 . 2010-03-29 17:33:20 -------- d-----
w- C:\ProgramData\{755AC846-7372-4AC8-8550-
C52491DAA8BD}
2010-03-29 17:31:39 . 2010-03-29 17:31:39 -------- d-----
w- C:\Program Files\Bonjour
2010-03-29 16:38:26 . 2010-04-09 23:47:52 -------- d-----
w- C:\Users\first\AppData\Roaming\uTorrent
2010-03-29 16:23:33 . 2008-06-26 01:45:43 12240896 ----a-
w- C:\Windows\system32\NlsLexicons0007.dll
2010-03-29 16:23:29 . 2008-06-26 01:45:55 2644480 ----a-
w- C:\Windows\system32\NlsLexicons0009.dll
2010-03-29 16:23:20 . 2008-06-26 03:29:06 801280 ----a-
w- C:\Windows\system32\NaturalLanguage6.dll
2010-03-29 16:19:49 . 2009-07-11 19:32:52 293376 ----a-
w- C:\Windows\system32\wlanmsm.dll
2010-03-29 16:18:55 . 2009-08-31 13:55:46 428544 ----a-
w- C:\Windows\system32\EncDec.dll
2010-03-29 16:17:59 . 2009-12-08 20:52:16 3546200 ----a-
w- C:\Windows\system32\ntoskrnl.exe
2010-03-29 16:16:57 . 2009-12-28 12:35:50 11776 ----a-
w- C:\Windows\system32\tsbyuv.dll
2010-03-29 16:11:36 . 2009-12-04 16:12:58 212992 ----a-
w- C:\Windows\system32\drivers\mrxsmb10.sys
2010-03-29 16:11:36 . 2009-12-04 16:12:51 105472 ----a-
w- C:\Windows\system32\drivers\mrxsmb.sys
2010-03-29 16:11:23 . 2010-02-24 17:16:06 181632 ------
w- C:\Windows\system32\MpSigStub.exe
2010-03-29 05:06:09 . 2010-03-29 04:11:59 -------- d-----
w- C:\Windows\Panther
2010-03-29 05:05:52 . 2010-03-29 05:05:52 -------- d-----
w- C:\Boot
2010-03-29 04:21:10 . 2010-03-29 04:21:10 -------- d-----
w- C:\Windows\system32\Macromed
2010-03-29 04:19:56 . 2010-04-02 14:21:59 -------- d-----
w- C:\Users\first\AppData\Roaming\Apple Computer
2010-03-29 04:19:56 . 2010-03-31 14:39:25 -------- d-----
w- C:\Users\first\AppData\Local\Apple Computer
2010-03-29 04:19:23 . 2010-04-07 04:19:42 -------- d-----
w- C:\Program Files\Safari
2010-03-29 04:19:23 . 2010-03-29 17:32:37 -------- d-----
w- C:\ProgramData\Apple Computer
2010-03-29 04:18:11 . 2010-04-10 05:01:45 -------- d-----
w- C:\Program Files\Common Files\Apple
2010-03-29 04:18:02 . 2010-03-29 04:18:02 -------- d-----
w- C:\Users\first\AppData\Local\Apple
2010-03-29 04:17:59 . 2010-03-30 03:43:36 -------- d-----
w- C:\ProgramData\Apple
2010-03-29 04:17:59 . 2010-03-29 04:18:00 -------- d-----
w- C:\Program Files\Apple Software Update
2010-03-29 04:17:06 . 2010-04-10 05:01:53 -------- d-sh-
-w- C:\Windows\Installer
2010-03-29 04:14:53 . 2009-08-07 02:24:08 44768 ----a-
w- C:\Windows\system32\wups2.dll
2010-03-29 04:14:53 . 2009-08-07 02:24:04 53472 ----a-
w- C:\Windows\system32\wuauclt.exe
2010-03-29 04:14:53 . 2009-08-07 02:23:45 1929952 ----a-
w- C:\Windows\system32\wuaueng.dll
2010-03-29 04:14:53 . 2009-08-07 01:45:15 2421760 ----a-
w- C:\Windows\system32\wucltux.dll
2010-03-29 04:14:42 . 2009-08-07 02:24:09 35552 ----a-
w- C:\Windows\system32\wups.dll
2010-03-29 04:14:42 . 2009-08-07 02:23:52 575704 ----a-
w- C:\Windows\system32\wuapi.dll
2010-03-29 04:14:42 . 2009-08-07 01:44:40 87552 ----a-
w- C:\Windows\system32\wudriver.dll
2010-03-29 04:14:32 . 2009-08-07 02:23:06 171608 ----a-
w- C:\Windows\system32\wuwebv.dll
2010-03-29 04:14:32 . 2009-08-07 01:44:46 33792 ----a-
w- C:\Windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 05:07:34 . 2010-04-10 05:07:36 805 ----a-w-
C:\Windows\system32\drivers\SYMEVENT.INF
2010-04-10 05:07:34 . 2010-04-10 05:07:36 7443 ----a-w-
C:\Windows\system32\drivers\SYMEVENT.CAT
2010-04-08 00:47:29 . 2010-04-08 00:47:07 32 --sha-w-
C:\Windows\system32\drivers\fidbox.idx
2010-04-07 23:51:45 . 2008-01-21 02:22:51 56376 ----a-
w- C:\Windows\system32\drivers\partmgr.sys
2010-04-06 13:57:55 . 2010-04-06 13:55:44 112 ----a-w-
C:\ProgramData\2Rpgg0Q.dat
2010-04-05 15:17:08 . 2010-04-05 15:17:08 0 ---ha-w-
C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.
Wdf
2010-03-30 15:16:08 . 2006-11-02 12:35:50 -------- d-----
w- C:\Program Files\MSBuild
2010-03-30 13:32:55 . 2006-11-02 11:18:33 -------- d-----
w- C:\Program Files\Windows Mail
2010-03-30 13:31:10 . 2006-11-02 10:25:05 665600 ----a-
w- C:\Windows\inf\drvindex.dat
2010-03-30 03:43:50 . 2010-03-30 03:43:50 0 ---ha-w-
C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00
_00.Wdf
2010-03-09 16:28:40 . 2010-03-30 23:56:53 833024 ----a-
w- C:\Windows\system32\wininet.dll
2010-03-09 16:25:21 . 2010-03-30 23:56:50 78336 ----a-
w- C:\Windows\system32\ieencode.dll
2010-03-09 14:01:47 . 2010-03-30 23:56:50 26624 ----a-
w- C:\Windows\system32\ieUnatt.exe
2010-03-04 11:00:34 . 2010-03-04 11:00:34 79144 ----a-
w- C:\ProgramData\Apple Computer\Installer Cache\Safari
5.31.22.7\SetupAdmin.exe
2010-01-25 12:48:34 . 2010-03-29 16:17:35 472576 ----a-
w- C:\Windows\system32\secproc_isv.dll
2010-01-25 12:48:34 . 2010-03-29 16:17:35 151040 ----a-
w- C:\Windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48:34 . 2010-03-29 16:17:35 151040 ----a-
w- C:\Windows\system32\secproc_ssp.dll
2010-01-25 12:48:06 . 2010-03-29 16:17:35 472064 ----a-
w- C:\Windows\system32\secproc.dll
2010-01-25 12:45:56 . 2010-03-29 16:17:35 329216 ----a-
w- C:\Windows\system32\msdrm.dll
2010-01-25 08:35:01 . 2010-03-29 16:17:35 346624 ----a-
w- C:\Windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 . 2010-03-29 16:17:36 523776 ----a-
w- C:\Windows\system32\RMActivate_isv.exe
2010-01-25 08:34:56 . 2010-03-29 16:17:36 511488 ----a-
w- C:\Windows\system32\RMActivate.exe
2010-01-25 08:34:56 . 2010-03-29 16:17:35 347136 ----a-
w- C:\Windows\system32\RMActivate_ssp.exe
2010-01-23 09:44:02 . 2010-03-29 16:18:42 2048 ----a-w-
C:\Windows\system32\tzres.dll
2008-04-09 23:35:35 . 2008-04-09 23:35:33 8192 --sha-w-
C:\Windows\Users\Default\NTUSER.DAT
.
[code]

C:\Program Files\Microsoft Office\Office12\GrooveMonitor 
.exe
C:\Program Files\QuickTime\QTTask .exe
[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{36F58BC8-DA71-4B7F-8C96-9746DD0F06C7}]
2010-04-10 00:26:45 46080 ----a-w-
C:\Windows\System32\yzud.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe"
[2008-01-21 02:21:38 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows
Defender\MSASCui.exe" [2008-01-21 02:21:41 1008184]
"GrooveMonitor"="C:\Program Files\Microsoft
Office\Office12\GrooveMonitor.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curre
ntversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\WinDefend]
@="Service"

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;C:\Program Files\Lavasoft\Ad-
Aware\AAWService.exe [2010-04-08 18:08:40 1265264]
S0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys [2010-
02-04 15:53:02 64288]
S0 SymDS;Symantec Data
Store;C:\Windows\system32\drivers\NAV\1106000.020\SYM
DS.SYS [2009-08-30 00:17:18 328752]
S0 SymEFA;Symantec Extended File
Attributes;C:\Windows\system32\drivers\NAV\1106000.020\
SYMEFA.SYS [2010-02-04 01:40:50 172592]
S1 BHDrvx86;BHDrvx86;C:\ProgramData\Norton\{0C55C096-
0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\201
00324.001\BHDrvx86.sys [2010-03-25 03:40:18 536112]
S1 ccHP;Symantec Hash
Provider;C:\Windows\system32\drivers\NAV\1106000.020\cc
HPx86.sys [2010-02-25 23:22:57 501888]
S1 IDSVix86;IDSVix86;C:\ProgramData\Norton\{0C55C096-
0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSvix86.sys [2009-10-28 22:37:22 343088]
S1 SymIRON;Symantec Iron
Driver;C:\Windows\system32\drivers\NAV\1106000.020\Ironx
86.SYS [2010-02-27 02:23:54 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch
Driver;C:\Windows\System32\Drivers\NAV\1106000.020\SY
MTDIV.SYS [2010-02-04 01:40:52 340016]
S2 NAV;Norton AntiVirus;C:\Program Files\Norton
AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25
23:21:50 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program
Files\Common Files\Symantec
Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29
09:00:00 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{7CAFE3C5-84BF-48E5-B26F-
69A69A56C4B9}]
2010-04-10 00:26:45 46080 ----a-w-
C:\Windows\System32\yzud.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 C:\Windows\Tasks\User_Feed_Synchronization-
{9F8C095C-013A-464E-BA8E-668C5D90767D}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-21
02:23:00 . 2008-01-21 02:23:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel -
C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no
file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} -
(no file)


Report •

#14
April 10, 2010 at 14:28:42
Which antivirus are you going to keep, you need to remove several remnants once you decide.

This will kill Quicktime, you will need to reinstall it if you use it....it is infected.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Windows\system32\yzud.dll

Folder::
C:\Program Files\QuickTime
C:\Users\first\AppData\Local\temp

Registry::
-[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{7CAFE3C5-84BF-48E5-B26F-
69A69A56C4B9}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#15
April 11, 2010 at 12:43:58
ComboFix 10-04-10.01 - first 04/11/2010 12:23:06.5.2 - x86
Microsoft® Windows Vista™ Ultimate
6.0.6001.1.1252.1.1033.18.2550.1587 [GMT -7:00]
Running from: c:\users\first\Desktop\combofix.exe
Command switches used ::
c:\users\first\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\system32\yzud.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\QuickTime
c:\program files\QuickTime\PictureViewer.exe
c:\program
files\QuickTime\PictureViewer.Resources\da.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\de.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\en.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\es.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\fi.lproj\PictureView
erLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\fr.lproj\PictureView
erLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\it.lproj\PictureView
erLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\ja.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\ko.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\nb.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\nl.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\PictureViewer.dll
c:\program
files\QuickTime\PictureViewer.Resources\pl.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\pt.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\pt_PT.lproj\Picture
ViewerLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\ru.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\sv.lproj\PictureVie
werLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\zh_CN.lproj\Pictur
eViewerLocalized.dll
c:\program
files\QuickTime\PictureViewer.Resources\zh_TW.lproj\Pictur
eViewerLocalized.dll
c:\program files\QuickTime\Plugins\npqtplugin.dll
c:\program files\QuickTime\Plugins\npqtplugin2.dll
c:\program files\QuickTime\Plugins\npqtplugin3.dll
c:\program files\QuickTime\Plugins\npqtplugin4.dll
c:\program files\QuickTime\Plugins\npqtplugin5.dll
c:\program files\QuickTime\Plugins\npqtplugin6.dll
c:\program files\QuickTime\Plugins\npqtplugin7.dll
c:\program files\QuickTime\QTInfo.exe
c:\program files\QuickTime\QTOControl.dll
c:\program files\QuickTime\QTOLibrary.dll
c:\program files\QuickTime\QTPlugin.ocx
c:\program
files\QuickTime\QTSystem\CFUniCharPropertyDatabase.dat
a
c:\program files\QuickTime\QTSystem\ExportController.exe
c:\program
files\QuickTime\QTSystem\ExportControllerPS.dll
c:\program files\QuickTime\QTSystem\QTCF.dll
c:\program files\QuickTime\QTSystem\QTJavaNative.dll
c:\program files\QuickTime\QTSystem\QTJNative.dll
c:\program files\QuickTime\QTSystem\QTMLClient.dll
c:\program files\QuickTime\QTSystem\QuickTime.cpl
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\da.lproj\Q
uickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\de.lproj\Q
uickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\en.lproj\Q
uickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\es.lproj\Q
uickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\fi.lproj\Qui
ckTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\fr.lproj\Qui
ckTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\it.lproj\Qui
ckTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\ja.lproj\Qu
ickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\ko.lproj\Q
uickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\nb.lproj\Q
uickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\nl.lproj\Qu
ickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\pl.lproj\Qu
ickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\pt.lproj\Qu
ickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\pt_PT.lpro
j\QuickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\QuickTim
e.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\ru.lproj\Qu
ickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\sv.lproj\Qu
ickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\zh_CN.lpr
oj\QuickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTime.Resources\zh_TW.lpr
oj\QuickTimeLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\da.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\de.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\en.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\es.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\fi.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\fr.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\it.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\ja.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\ko.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\nb.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\nl.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\pl.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\pt.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\pt_PT.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\ru.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\sv.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\zh_CN.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAudioSupport.Resourc
es\zh_TW.lproj\QuickTimeAudioSupportLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
da.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
de.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
en.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
es.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\fi
.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\f
r.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\i
t.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\j
a.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
ko.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
nb.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
nl.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
pl.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
pt.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
pt_PT.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\r
u.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
sv.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
zh_CN.lproj\QuickTimeAuthoringLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeAuthoring.Resources\
zh_TW.lproj\QuickTimeAuthoringLocalized.dll
c:\program files\QuickTime\QTSystem\QuickTimeCheck.ocx
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
da.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
de.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
en.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
es.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
fi.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
fr.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
it.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
ja.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
ko.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
nb.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
nl.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
pl.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
pt.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
pt_PT.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
ru.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
sv.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
zh_CN.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeStreaming.Resources\
zh_TW.lproj\QuickTimeStreamingLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeUpdateHelper.exe
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\da.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\de.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\en.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\es.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\fi.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\fr.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\it.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\ja.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\ko.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\nb.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\nl.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\pl.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\pt.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\pt_PT.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\QuickTimeWebHelper.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\ru.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\sv.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\zh_CN.lproj\QuickTimeWebHelperLocalized.dll
c:\program
files\QuickTime\QTSystem\QuickTimeWebHelper.Resources
\zh_TW.lproj\QuickTimeWebHelperLocalized.dll
c:\program files\QuickTime\QTTask .exe
c:\program files\QuickTime\QTUIPanelControl.dll
c:\program files\QuickTime\QuickTimePlayer.dll
c:\program files\QuickTime\QuickTimePlayer.exe
c:\users\first\AppData\Local\temp
c:\users\first\AppData\Local\temp\FXSAPIDebugLogFile.txt
c:\windows\system32\yzud.dll
.
---- Previous Run -------
.
c:\windows\system32\klgd.bmp

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-
04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 19:33 . 2010-04-11 19:36 -------- d-----w-
c:\users\first\AppData\Local\Temp
2010-04-11 19:32 . 2010-04-11 19:32 -------- d-----w-
c:\users\Default\AppData\Local\temp
2010-04-10 15:21 . 2010-04-10 05:11 84912 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVENG.SYS
2010-04-10 15:21 . 2010-04-10 05:11 1324720 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVEX15.SYS
2010-04-10 15:21 . 2009-08-29 09:00 177520 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVENG32.DLL
2010-04-10 15:21 . 2009-08-29 09:00 1647984 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\NAVEX32A.DLL
2010-04-10 15:21 . 2010-04-10 05:11 2747440 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\CCERASER.DLL
2010-04-10 15:21 . 2010-04-10 05:11 259440 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\ECMSVR32.DLL
2010-04-10 15:21 . 2009-08-29 09:00 371248 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\EECTRL.SYS
2010-04-10 15:21 . 2009-08-29 09:00 102448 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\2010
0410.004\ERASER.SYS
2010-04-10 05:12 . 2009-10-28 22:37 343088 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSvix86.sys
2010-04-10 05:12 . 2009-10-28 22:37 329592 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSXpx86.sys
2010-04-10 05:12 . 2009-10-28 22:37 811896 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\Scxpx86.dll
2010-04-10 05:12 . 2009-10-28 22:37 488312 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSxpx86.dll
2010-04-10 05:12 . 2009-10-28 22:37 466992 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSviA64.sys
2010-04-10 05:08 . 2009-08-30 00:16 164216 ----a-r-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IP
SFFPl.dll
2010-04-10 05:07 . 2010-04-10 05:07 124976 ----a-w-
c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-10 05:07 . 2010-04-10 05:13 -------- d-----w-
c:\program files\Common Files\Symantec Shared
2010-04-10 05:07 . 2010-04-10 05:07 -------- d-----w-
c:\program files\Symantec
2010-04-10 05:07 . 2009-08-26 22:13 900464 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\OCS\hsplayer.dll
2010-04-10 05:07 . 2009-09-01 09:02 893296 ----a-w-
c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\CLT\cltLMSx.dll
2010-04-10 05:07 . 2010-04-10 19:12 -------- d-----w-
c:\windows\system32\drivers\NAV
2010-04-10 05:06 . 2010-04-10 05:07 -------- d-----w-
c:\program files\Norton AntiVirus
2010-04-10 05:06 . 2010-04-10 05:06 -------- d-----w-
c:\program files\NortonInstaller
2010-04-10 00:20 . 2010-04-10 00:20 -------- d-----w-
c:\program files\AVG
2010-04-08 18:08 . 2010-04-08 18:08 598368 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-08 04:23 . 2010-04-09 23:45 15944 ----a-w-
c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 04:21 . 2010-04-08 04:21 -------- d-----w-
c:\programdata\Hitman Pro
2010-04-08 04:21 . 2010-04-08 04:21 -------- d-----w-
c:\program files\Hitman Pro 3.5
2010-04-08 03:11 . 2010-04-10 05:06 -------- d-----w-
c:\programdata\Norton
2010-04-08 03:11 . 2010-04-10 05:06 -------- d-----w-
c:\programdata\NortonInstaller
2010-04-08 00:47 . 2010-04-08 00:47 125952 ----a-w-
c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-04-08 00:47 . 2010-04-08 03:35 3566112 --sha-w-
c:\windows\system32\drivers\fidbox.dat
2010-04-08 00:37 . 2010-04-10 00:07 -------- d-----w-
c:\programdata\ParetoLogic
2010-04-08 00:37 . 2010-04-10 00:07 -------- d-----w-
c:\program files\Common Files\ParetoLogic
2010-04-08 00:35 . 2010-04-08 00:35 -------- d-----w-
c:\users\first\AppData\Local\Downloaded Installations
2010-04-08 00:02 . 2010-04-08 00:02 -------- d-----w-
c:\programdata\FrontLine Registry Cleaner
2010-04-08 00:02 . 2010-04-08 00:02 -------- d-----w-
c:\program files\FrontLine
2010-04-07 17:05 . 2010-04-07 17:09 680 ----a-w-
c:\users\first\AppData\Local\d3d9caps.dat
2010-04-07 04:48 . 2010-04-07 04:48 -------- d-----w-
c:\users\first\AppData\Roaming\Malwarebytes
2010-04-07 04:48 . 2010-04-07 04:48 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2010-04-07 04:48 . 2010-04-07 04:48 -------- d-----w-
c:\programdata\Malwarebytes
2010-04-07 04:25 . 2010-04-07 04:25 -------- d-----w-
c:\programdata\Alwil Software
2010-04-07 04:25 . 2010-04-07 04:25 -------- d-----w-
c:\program files\Alwil Software
2010-04-07 04:20 . 2010-04-07 04:20 -------- d-----w-
c:\program files\Trend Micro
2010-04-07 03:50 . 2010-04-07 23:38 -------- d-----w-
c:\users\first\AppData\Local\temp(42)
2010-04-06 17:09 . 2010-04-06 17:09 -------- d-----w-
c:\users\first\AppData\Local\Microsoft Games
2010-04-06 00:26 . 2010-04-06 15:47 -------- d-----w-
c:\program files\QuickTime(31)
2010-04-05 18:08 . 2010-04-08 18:08 966104 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-05 18:08 . 2010-04-05 18:08 849744 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\Ad-
AwareCommand.exe
2010-04-05 18:08 . 2010-04-05 18:08 855864 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\Ad-
AwareAdmin.exe
2010-04-05 18:08 . 2010-04-05 18:08 1597952 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-05 18:08 . 2010-04-05 18:08 818256 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-05 18:08 . 2010-04-08 18:08 1265264 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-30 15:21 . 2006-10-27 02:56 33104 ----a-w-
c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-03-30 15:21 . 2006-10-27 02:56 32592 ----a-w-
c:\windows\system32\msonpmon.dll
2010-03-30 15:16 . 2010-03-30 15:16 -------- d-----w-
c:\program files\Microsoft Works
2010-03-30 15:14 . 2010-03-30 15:14 -------- d-----w-
c:\windows\PCHEALTH
2010-03-30 15:14 . 2010-03-30 15:14 -------- d-----w-
c:\program files\Microsoft.NET
2010-03-30 15:11 . 2010-03-30 15:11 -------- d-----w-
c:\program files\Microsoft Visual Studio 8
2010-03-30 15:10 . 2010-03-30 15:10 -------- d-----w-
c:\users\first\AppData\Local\Microsoft Help
2010-03-30 15:10 . 2010-03-30 15:22 -------- d-----w-
c:\programdata\Microsoft Help
2010-03-30 15:06 . 2010-03-30 15:06 -------- d-----r-
C:\MSOCache
2010-03-30 14:12 . 2010-04-10 04:55 -------- d-----w-
c:\users\first\AppData\Roaming\vlc
2010-03-30 14:01 . 2010-03-30 14:01 -------- d-----w-
c:\program files\VideoLAN
2010-03-30 05:01 . 2008-06-20 01:14 97800 ----a-w-
c:\windows\system32\infocardapi.dll
2010-03-30 05:01 . 2008-06-20 01:14 43544 ----a-w-
c:\windows\system32\PresentationHostProxy.dll
2010-03-30 05:01 . 2008-06-20 01:14 105016 ----a-w-
c:\windows\system32\PresentationCFFRasterizerNative_v03
00.dll
2010-03-30 05:01 . 2008-06-20 01:14 11264 ----a-w-
c:\windows\system32\icardres.dll
2010-03-30 05:01 . 2008-06-20 01:14 622080 ----a-w-
c:\windows\system32\icardagt.exe
2010-03-30 05:01 . 2008-06-20 01:14 781344 ----a-w-
c:\windows\system32\PresentationNative_v0300.dll
2010-03-30 05:01 . 2008-06-20 01:14 326160 ----a-w-
c:\windows\system32\PresentationHost.exe
2010-03-30 04:54 . 2008-07-27 18:03 96760 ----a-w-
c:\windows\system32\dfshim.dll
2010-03-30 04:54 . 2008-07-27 18:03 282112 ----a-w-
c:\windows\system32\mscoree.dll
2010-03-30 04:54 . 2008-07-27 18:03 41984 ----a-w-
c:\windows\system32\netfxperf.dll
2010-03-30 04:54 . 2008-07-27 18:03 158720 ----a-w-
c:\windows\system32\mscorier.dll
2010-03-30 04:54 . 2008-07-27 18:03 83968 ----a-w-
c:\windows\system32\mscories.dll
2010-03-30 04:53 . 2010-02-20 23:39 24064 ----a-w-
c:\windows\system32\nshhttp.dll
2010-03-30 04:53 . 2010-02-20 23:37 31232 ----a-w-
c:\windows\system32\httpapi.dll
2010-03-30 04:53 . 2010-02-20 21:18 411136 ----a-w-
c:\windows\system32\drivers\http.sys
2010-03-30 03:30 . 2010-04-10 04:56 -------- d-----w-
c:\users\first\Movie
2010-03-29 18:36 . 2010-04-05 18:09 15880 ----a-w-
c:\windows\system32\lsdelete.exe
2010-03-29 18:08 . 2010-02-04 15:53 64288 ----a-w-
c:\windows\system32\drivers\Lbd.sys
2010-03-29 17:57 . 2010-03-29 17:57 -------- dc-h--w-
c:\programdata\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}
2010-03-29 17:57 . 2010-02-04 15:53 2954656 -c--a-w-
c:\programdata\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-29 17:56 . 2010-03-29 18:08 -------- d-----w-
c:\programdata\Lavasoft
2010-03-29 17:56 . 2010-03-29 17:57 -------- d-----w-
c:\program files\Lavasoft
2010-03-29 17:33 . 2010-04-10 05:01 -------- dc----w-
c:\windows\system32\DRVSTORE
2010-03-29 17:32 . 2010-04-10 19:35 -------- d-----w-
c:\program files\iTunes
2010-03-29 17:32 . 2010-03-29 17:33 -------- d-----w-
c:\programdata\{755AC846-7372-4AC8-8550-
C52491DAA8BD}
2010-03-29 17:31 . 2010-03-29 17:31 -------- d-----w-
c:\program files\Bonjour
2010-03-29 16:38 . 2010-04-09 23:47 -------- d-----w-
c:\users\first\AppData\Roaming\uTorrent
2010-03-29 16:23 . 2008-06-26 01:45 12240896 ----a-w-
c:\windows\system32\NlsLexicons0007.dll
2010-03-29 16:23 . 2008-06-26 01:45 2644480 ----a-w-
c:\windows\system32\NlsLexicons0009.dll
2010-03-29 16:23 . 2008-06-26 03:29 801280 ----a-w-
c:\windows\system32\NaturalLanguage6.dll
2010-03-29 16:19 . 2009-07-11 19:32 293376 ----a-w-
c:\windows\system32\wlanmsm.dll
2010-03-29 16:18 . 2009-08-31 13:55 428544 ----a-w-
c:\windows\system32\EncDec.dll
2010-03-29 16:17 . 2009-12-08 20:52 3546200 ----a-w-
c:\windows\system32\ntoskrnl.exe
2010-03-29 16:16 . 2009-12-28 12:35 11776 ----a-w-
c:\windows\system32\tsbyuv.dll
2010-03-29 16:11 . 2009-12-04 16:12 212992 ----a-w-
c:\windows\system32\drivers\mrxsmb10.sys
2010-03-29 16:11 . 2009-12-04 16:12 105472 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2010-03-29 16:11 . 2010-02-24 17:16 181632 ------w-
c:\windows\system32\MpSigStub.exe
2010-03-29 05:06 . 2010-03-29 04:11 -------- d-----w-
c:\windows\Panther
2010-03-29 05:05 . 2010-03-29 05:05 -------- d-----w-
C:\Boot
2010-03-29 04:21 . 2010-03-29 04:21 -------- d-----w-
c:\windows\system32\Macromed
2010-03-29 04:19 . 2010-04-02 14:21 -------- d-----w-
c:\users\first\AppData\Roaming\Apple Computer
2010-03-29 04:19 . 2010-03-31 14:39 -------- d-----w-
c:\users\first\AppData\Local\Apple Computer
2010-03-29 04:19 . 2010-04-07 04:19 -------- d-----w-
c:\program files\Safari
2010-03-29 04:19 . 2010-03-29 17:32 -------- d-----w-
c:\programdata\Apple Computer
2010-03-29 04:18 . 2010-04-10 05:01 -------- d-----w-
c:\program files\Common Files\Apple
2010-03-29 04:18 . 2010-03-29 04:18 -------- d-----w-
c:\users\first\AppData\Local\Apple
2010-03-29 04:17 . 2010-03-30 03:43 -------- d-----w-
c:\programdata\Apple
2010-03-29 04:17 . 2010-03-29 04:18 -------- d-----w-
c:\program files\Apple Software Update
2010-03-29 04:17 . 2010-04-10 05:01 -------- d-sh--w-
c:\windows\Installer
2010-03-29 04:14 . 2009-08-07 02:24 44768 ----a-w-
c:\windows\system32\wups2.dll
2010-03-29 04:14 . 2009-08-07 02:24 53472 ----a-w-
c:\windows\system32\wuauclt.exe
2010-03-29 04:14 . 2009-08-07 02:23 1929952 ----a-w-
c:\windows\system32\wuaueng.dll
2010-03-29 04:14 . 2009-08-07 01:45 2421760 ----a-w-
c:\windows\system32\wucltux.dll
2010-03-29 04:14 . 2009-08-07 02:24 35552 ----a-w-
c:\windows\system32\wups.dll
2010-03-29 04:14 . 2009-08-07 02:23 575704 ----a-w-
c:\windows\system32\wuapi.dll
2010-03-29 04:14 . 2009-08-07 01:44 87552 ----a-w-
c:\windows\system32\wudriver.dll
2010-03-29 04:14 . 2009-08-07 02:23 171608 ----a-w-
c:\windows\system32\wuwebv.dll
2010-03-29 04:14 . 2009-08-07 01:44 33792 ----a-w-
c:\windows\system32\wuapp.exe
2010-03-29 04:14 . 2010-04-10 04:41 -------- d-----w-
c:\windows\Debug
2010-03-29 01:21 . 2010-03-30 15:45 100432 ----a-w-
c:\users\first\AppData\Local\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 05:07 . 2010-04-10 05:07 805 ----a-w-
c:\windows\system32\drivers\SYMEVENT.INF
2010-04-10 05:07 . 2010-04-10 05:07 7443 ----a-w-
c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-08 00:47 . 2010-04-08 00:47 32 --sha-w-
c:\windows\system32\drivers\fidbox.idx
2010-04-07 23:51 . 2008-01-21 02:22 56376 ----a-w-
c:\windows\system32\drivers\partmgr.sys
2010-04-06 13:57 . 2010-04-06 13:55 112 ----a-w-
c:\programdata\2Rpgg0Q.dat
2010-04-05 15:17 . 2010-04-05 15:17 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.
Wdf
2010-03-30 15:16 . 2006-11-02 12:35 -------- d-----w-
c:\program files\MSBuild
2010-03-30 13:32 . 2006-11-02 11:18 -------- d-----w-
c:\program files\Windows Mail
2010-03-30 13:31 . 2006-11-02 10:25 665600 ----a-w-
c:\windows\inf\drvindex.dat
2010-03-30 03:43 . 2010-03-30 03:43 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_
00.Wdf
2010-03-09 16:28 . 2010-03-30 23:56 833024 ----a-w-
c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 23:56 78336 ----a-w-
c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 23:56 26624 ----a-w-
c:\windows\system32\ieUnatt.exe
2010-03-04 11:00 . 2010-03-04 11:00 79144 ----a-w-
c:\programdata\Apple Computer\Installer Cache\Safari
5.31.22.7\SetupAdmin.exe
2010-01-25 12:48 . 2010-03-29 16:17 472576 ----a-w-
c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-03-29 16:17 151040 ----a-w-
c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-03-29 16:17 151040 ----a-w-
c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-03-29 16:17 472064 ----a-w-
c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-03-29 16:17 329216 ----a-w-
c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-03-29 16:17 346624 ----a-w-
c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-03-29 16:17 523776 ----a-w-
c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-03-29 16:17 511488 ----a-w-
c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-03-29 16:17 347136 ----a-w-
c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-03-29 16:18 2048 ----a-w-
c:\windows\system32\tzres.dll
2008-04-09 23:35 . 2008-04-09 23:35 8192 --sha-w-
c:\windows\Users\Default\NTUSER.DAT
.
[code]

c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe"
[2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows
Defender\MSASCui.exe" [2008-01-21 1008184]
"GrooveMonitor"="c:\program files\Microsoft
Office\Office12\GrooveMonitor.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curre
ntversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\WinDefend]
@="Service"

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe
[2010-04-08 1265264]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-
02-04 64288]
S0 SymDS;Symantec Data
Store;c:\windows\system32\drivers\NAV\1106000.020\SYMD
S.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File
Attributes;c:\windows\system32\drivers\NAV\1106000.020\S
YMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-
0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\201
00324.001\BHDrvx86.sys [2010-03-25 536112]
S1 ccHP;Symantec Hash
Provider;c:\windows\system32\drivers\NAV\1106000.020\ccH
Px86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-
0F1D-4F28-AAA2-
85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100
402.001\IDSvix86.sys [2009-10-28 343088]
S1 SymIRON;Symantec Iron
Driver;c:\windows\system32\drivers\NAV\1106000.020\Ironx8
6.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch
Driver;c:\windows\System32\Drivers\NAV\1106000.020\SYM
TDIV.SYS [2010-02-04 340016]
S2 NAV;Norton AntiVirus;c:\program files\Norton
AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25
126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program
files\Common Files\Symantec
Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29
102448]


[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{7CAFE3C5-84BF-48E5-B26F-
69A69A56C4B9}]
yzud.dll [N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\User_Feed_Synchronization-
{9F8C095C-013A-464E-BA8E-668C5D90767D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:23]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{36F58BC8-DA71-4B7F-8C96-9746DD0F06C7} -
yzud.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no
file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} -
(no file)

**********************************************************************
****

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 12:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**********************************************************************
****

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by
Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys
>>UNKNOWN [0x84DA2AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x88dc4322
\Driver\ACPI -> acpi.sys @ 0x80694d4c
\Driver\atapi -> ataport.SYS @ 0x807b09a8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user &
kernel MBR OK

**********************************************************************
****

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\NAV]
"ImagePath"="\"c:\program files\Norton
AntiVirus\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NAV\" /m
\"c:\program files\Norton
AntiVirus\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes -------
--------------

- - - - - - - > 'Explorer.exe'(3728)
c:\program files\Microsoft
Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\DllHost.exe
.
**********************************************************************
****
.
Completion time: 2010-04-11 12:42:08 - machine was
rebooted
ComboFix-quarantined-files.txt 2010-04-11 19:41

Pre-Run: 52,172,865,536 bytes free
Post-Run: 52,150,218,752 bytes free

- - End Of File - - 853AEDB8A0F1EB50750725F66433AB38


Report •

#16
April 11, 2010 at 12:45:48
i just decided to go with avast
so what do i need to do to clear up other trash so to speak

Report •

#17
April 11, 2010 at 20:33:12
Are you still being redirected.

Download Avast to you desktop> uninstall Norton's and run their uninstaller> install avast. Let me know when you have completed this as there are other programs you need to remove.


Report •

#18
April 11, 2010 at 20:45:21
done........avast is on and norton is off but pop ups seem
irregularly occurring but redirect is gone as far as i can tell
thanks

Report •

#19
April 15, 2010 at 18:33:48
Run Combofix and post its log. Also post a new DDS log.

What type of popup are you getting. Is it a full window advertisement.


Report •

#20
April 15, 2010 at 19:31:37

DDS (Ver_10-03-17.01) - NTFSx86
Run by first at 19:30:28.32 on Thu 04/15/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate
6.0.6001.1.1252.1.1033.18.2550.1596 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes
===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k
LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k
LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k
NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\first\AppData\Local\Temp\6n22m683.tmp\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-
b7f9-0bbc1d38a37e} -
c:\progra~1\micros~2\office12\GRA8E1~1.DLL
mRun: [Windows Defender] %ProgramFiles%\Windows
Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft
office\office12\GrooveMonitor.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe
/nogui
mRun: [QuickTime Task] "c:\program
files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program
files\itunes\iTunesHelper.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel -
c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-
E1D6-4330-914C-F5F514E3486C} -
c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -
c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-
3CB6248B04CD} -
c:\progra~1\micros~2\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-
4420-b3ba-52453494e6cd} -
c:\progra~1\micros~2\office12\GRA8E1~1.DLL
mASetup: {7CAFE3C5-84BF-48E5-B26F-69A69A56C4B9} -
rundll32 yzud.dll,laspi

============= SERVICES / DRIVERS
===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-29
64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys
[2010-4-11 162768]
R2
aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk
.sys [2010-4-11 19024]
R2
aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMon
Flt.sys [2010-4-11 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil
software\avast5\AvastSvc.exe [2010-4-11 40384]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program
files\alwil software\avast5\AvastSvc.exe [2010-4-11 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program
files\alwil software\avast5\AvastSvc.exe [2010-4-11 40384]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\lavasoft\ad-aware\AAWService.exe
[2010-2-4 1265264]

=============== Created Last 30 ================

2010-04-15 13:36:46 430080 ----a-w-
c:\windows\system32\vbscript.dll
2010-04-15 13:36:44 78848 ----a-w-
c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 13:36:44 212992 ----a-w-
c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 13:36:44 105984 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 13:36:41 898952 ----a-w-
c:\windows\system32\drivers\tcpip.sys
2010-04-15 13:36:41 25088 ----a-w-
c:\windows\system32\drivers\tunnel.sys
2010-04-15 13:36:41 190464 ----a-w-
c:\windows\system32\iphlpsvc.dll
2010-04-15 13:36:36 3598216 ----a-w-
c:\windows\system32\ntkrnlpa.exe
2010-04-15 13:36:35 3545992 ----a-w-
c:\windows\system32\ntoskrnl.exe
2010-04-15 13:36:34 171520 ----a-w-
c:\windows\system32\wintrust.dll
2010-04-15 13:36:31 62464 ----a-w-
c:\windows\system32\l3codeca.acm
2010-04-15 13:36:04 98304 ----a-w-
c:\windows\system32\cabview.dll
2010-04-15 03:55:18 26600 ----a-w-
c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-15 03:55:18 107368 ----a-w-
c:\windows\system32\GEARAspi.dll
2010-04-15 03:54:31 0 d-----w- c:\program files\iPod
2010-04-15 03:54:28 0 d-----w-
c:\programdata\{429CAD59-35B1-4DBC-BB6D-
1DB246563521}
2010-04-15 03:51:36 0 d-----w- c:\program
files\Bonjour
2010-04-11 19:52:01 51792 ----a-w-
c:\windows\system32\drivers\aswMonFlt.sys
2010-04-11 19:40:47 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-10 00:26:45 3519 ----a-w-
c:\windows\system32\hcri
2010-04-10 00:20:59 0 d-----w- c:\program files\AVG
2010-04-09 04:27:03 328838042 ----a-w-
c:\windows\MEMORY.DMP
2010-04-09 04:16:48 98816 ----a-w-
c:\windows\sed.exe
2010-04-09 04:16:48 77312 ----a-w-
c:\windows\MBR.exe
2010-04-09 04:16:48 261632 ----a-w-
c:\windows\PEV.exe
2010-04-09 04:16:48 161792 ----a-w-
c:\windows\SWREG.exe
2010-04-08 04:23:07 15944 ----a-w-
c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 04:21:57 0 d-----w-
c:\programdata\Hitman Pro
2010-04-08 04:21:46 0 d-----w- c:\program
files\Hitman Pro 3.5
2010-04-08 03:11:36 0 d-----w-
c:\programdata\Norton
2010-04-08 03:11:25 0 d-----w-
c:\programdata\NortonInstaller
2010-04-08 00:47:07 3566112 --sha-w-
c:\windows\system32\drivers\fidbox.dat
2010-04-08 00:47:07 32 --sha-w-
c:\windows\system32\drivers\fidbox.idx
2010-04-08 00:37:06 0 d-----w-
c:\programdata\ParetoLogic
2010-04-08 00:37:06 0 d-----w- c:\program
files\common files\ParetoLogic
2010-04-08 00:02:59 0 d-----w-
c:\programdata\FrontLine Registry Cleaner
2010-04-08 00:02:31 0 d-----w- c:\program
files\FrontLine
2010-04-07 04:48:21 0 d-----w-
c:\users\first\appdata\roaming\Malwarebytes
2010-04-07 04:48:08 0 d-----w-
c:\programdata\Malwarebytes
2010-04-07 04:48:08 0 d-----w- c:\program
files\Malwarebytes' Anti-Malware
2010-04-07 04:25:57 0 d-----w- c:\programdata\Alwil
Software
2010-04-07 04:20:17 0 d-----w- c:\program files\Trend
Micro
2010-04-06 13:55:44 112 ----a-w-
c:\programdata\2Rpgg0Q.dat
2010-04-06 00:26:17 0 d-----w- c:\program
files\QuickTime(31)
2010-04-05 18:09:25 95024 ----a-w-
c:\windows\system32\drivers\SBREDrv.sys
2010-04-05 15:17:08 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.
Wdf
2010-03-30 15:21:35 32592 ----a-w-
c:\windows\system32\msonpmon.dll
2010-03-30 15:14:44 0 d-----w-
c:\windows\PCHEALTH
2010-03-30 15:11:49 0 d-----w- c:\program
files\Microsoft Visual Studio 8
2010-03-30 15:10:01 0 d-----w-
c:\programdata\Microsoft Help
2010-03-30 14:01:48 0 d-----w- c:\program
files\VideoLAN
2010-03-30 05:01:10 97800 ----a-w-
c:\windows\system32\infocardapi.dll
2010-03-30 05:01:09 622080 ----a-w-
c:\windows\system32\icardagt.exe
2010-03-30 05:01:09 43544 ----a-w-
c:\windows\system32\PresentationHostProxy.dll
2010-03-30 05:01:09 37384 ----a-w-
c:\windows\system32\infocardcpl.cpl
2010-03-30 05:01:09 11264 ----a-w-
c:\windows\system32\icardres.dll
2010-03-30 05:01:09 105016 ----a-w-
c:\windows\system32\PresentationCFFRasterizerNative_v03
00.dll
2010-03-30 05:01:07 781344 ----a-w-
c:\windows\system32\PresentationNative_v0300.dll
2010-03-30 05:01:05 326160 ----a-w-
c:\windows\system32\PresentationHost.exe
2010-03-30 04:54:58 96760 ----a-w-
c:\windows\system32\dfshim.dll
2010-03-30 04:54:57 282112 ----a-w-
c:\windows\system32\mscoree.dll
2010-03-30 04:54:56 41984 ----a-w-
c:\windows\system32\netfxperf.dll
2010-03-30 04:54:51 158720 ----a-w-
c:\windows\system32\mscorier.dll
2010-03-30 04:54:47 83968 ----a-w-
c:\windows\system32\mscories.dll
2010-03-30 04:53:05 24064 ----a-w-
c:\windows\system32\nshhttp.dll
2010-03-30 04:53:03 411136 ----a-w-
c:\windows\system32\drivers\http.sys
2010-03-30 04:53:03 31232 ----a-w-
c:\windows\system32\httpapi.dll
2010-03-30 03:43:50 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_
00.Wdf
2010-03-30 03:30:38 0 d-----w- c:\users\first\Movie
2010-03-29 18:36:58 15880 ----a-w-
c:\windows\system32\lsdelete.exe
2010-03-29 18:08:25 64288 ----a-w-
c:\windows\system32\drivers\Lbd.sys
2010-03-29 17:57:01 0 dc-h--w-
c:\programdata\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}
2010-03-29 17:56:54 0 d-----w-
c:\programdata\Lavasoft
2010-03-29 17:56:54 0 d-----w- c:\program
files\Lavasoft
2010-03-29 17:47:49 0 d-----w-
c:\windows\system32\appmgmt
2010-03-29 17:32:37 0 d-----w-
c:\programdata\{755AC846-7372-4AC8-8550-
C52491DAA8BD}
2010-03-29 17:32:37 0 d-----w- c:\program
files\iTunes
2010-03-29 16:38:26 0 d-----w-
c:\users\first\appdata\roaming\uTorrent
2010-03-29 16:23:33 12240896 ----a-w-
c:\windows\system32\NlsLexicons0007.dll
2010-03-29 16:23:29 2644480 ----a-w-
c:\windows\system32\NlsLexicons0009.dll
2010-03-29 16:23:20 801280 ----a-w-
c:\windows\system32\NaturalLanguage6.dll
2010-03-29 16:19:49 293376 ----a-w-
c:\windows\system32\wlanmsm.dll
2010-03-29 16:18:55 428544 ----a-w-
c:\windows\system32\EncDec.dll
2010-03-29 16:16:57 91136 ----a-w-
c:\windows\system32\avifil32.dll
2010-03-29 16:11:23 181632 ------w-
c:\windows\system32\MpSigStub.exe
2010-03-29 05:06:09 0 d-----w- c:\windows\Panther
2010-03-29 05:05:52 333203 --sha-r- C:\bootmgr
2010-03-29 05:05:52 0 d-----w- C:\Boot
2010-03-29 05:05:41 171136 --sha-r- C:\GRLDR
2010-03-29 04:19:23 0 d-----w- c:\programdata\Apple
Computer
2010-03-29 04:17:59 0 d-----w- c:\programdata\Apple
2010-03-29 04:17:06 0 d-sh--w- c:\windows\Installer
2010-03-29 04:14:53 2421760 ----a-w-
c:\windows\system32\wucltux.dll
2010-03-29 04:14:42 87552 ----a-w-
c:\windows\system32\wudriver.dll
2010-03-29 04:14:32 33792 ----a-w-
c:\windows\system32\wuapp.exe
2010-03-29 04:14:32 171608 ----a-w-
c:\windows\system32\wuwebv.dll
2010-03-18 04:53:42 94208 ----a-w-
c:\windows\system32\QuickTimeVR.qtx
2010-03-18 04:53:42 69632 ----a-w-
c:\windows\system32\QuickTime.qts

==================== Find3M
====================

2010-04-15 03:52:21 86016 ----a-w-
c:\windows\inf\infstrng.dat
2010-04-15 03:52:21 86016 ----a-w-
c:\windows\inf\infstor.dat
2010-04-15 03:52:21 51200 ----a-w-
c:\windows\inf\infpub.dat
2010-04-11 21:56:33 56376 ----a-w-
c:\windows\system32\drivers\partmgr.sys
2010-03-30 13:31:10 665600 ----a-w-
c:\windows\inf\drvindex.dat
2010-03-09 16:28:40 833024 ----a-w-
c:\windows\system32\wininet.dll
2010-03-09 16:25:21 78336 ----a-w-
c:\windows\system32\ieencode.dll
2010-03-09 14:01:47 26624 ----a-w-
c:\windows\system32\ieUnatt.exe
2010-02-12 18:46:14 91424 ----a-w-
c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w-
c:\windows\system32\dns-sd.exe
2010-01-25 12:48:34 472576 ----a-w-
c:\windows\system32\secproc_isv.dll
2010-01-25 12:48:34 151040 ----a-w-
c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48:34 151040 ----a-w-
c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48:06 472064 ----a-w-
c:\windows\system32\secproc.dll
2010-01-25 12:45:56 329216 ----a-w-
c:\windows\system32\msdrm.dll
2010-01-25 08:35:01 346624 ----a-w-
c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 523776 ----a-w-
c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34:56 511488 ----a-w-
c:\windows\system32\RMActivate.exe
2010-01-25 08:34:56 347136 ----a-w-
c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44:02 2048 ----a-w-
c:\windows\system32\tzres.dll
2008-01-21 02:41:56 174 --sha-w- c:\program
files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w-
c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w-
c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w-
c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w-
c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w-
c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w-
c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w-
c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w-
c:\windows\inf\perflib\0000\perfc.dat
2008-04-09 23:35:35 8192 --sha-w-
c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:31:09.33 ===============


Report •

#21
April 15, 2010 at 19:33:25
they are full pop ups just advertising
oh and here is the combofix

Report •

#22
April 15, 2010 at 20:05:20
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DDS::
mASetup: {7CAFE3C5-84BF-48E5-B26F-69A69A56C4B9} -
rundll32 yzud.dll,laspi

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced and a new dds log.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#23
April 15, 2010 at 20:08:17
ok so i tried three times to run combofix
all three times my computer goes to a blue screen and says
error mbr.sys
so i cant run it oh an i even tried deleting the old and re
downloading it and still wont work

Report •

#24
April 16, 2010 at 09:34:49
0 cleaned
0 problems

and still when i try to run combofix it says
error mbr.sys


Report •

#25
April 16, 2010 at 14:21:48
Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download TDSSKiller to your Desktop from the following link.

TDSSKiller

1. Extract the contents of TDSSKiller.zip to your Desktop.

2. Double click on TDSSKiller.exe to run it.

3. If it finds something and asks you what to do, follow the instructions to type in "delete".

4. When done, a log file should be created on your C: drive called TDSSKiller.txt(with time+date appended) please post this log in your next reply.


Report •

#26
April 17, 2010 at 08:16:51
08:12:21:046 0012 TDSS rootkit removing tool 2.2.8.1 Mar
22 2010 10:43:04
08:12:21:046 0012
============================================
====================================
08:12:21:046 0012 SystemInfo:

08:12:21:046 0012 OS Version: 6.0.6001 ServicePack:
1.0
08:12:21:046 0012 Product type: Workstation
08:12:21:046 0012 ComputerName: SKIMPKID
08:12:21:046 0012 UserName: first
08:12:21:046 0012 Windows directory: C:\Windows
08:12:21:046 0012 Processor architecture: Intel x86
08:12:21:046 0012 Number of processors: 2
08:12:21:047 0012 Page size: 0x1000
08:12:21:049 0012 Boot type: Normal boot
08:12:21:049 0012
============================================
====================================
08:12:21:054 0012 UnloadDriverW: NtUnloadDriver error 2
08:12:21:054 0012 ForceUnloadDriverW:
UnloadDriverW(klmd21) error 2
08:12:21:155 0012 wfopen_ex: Trying to open file
C:\Windows\system32\config\system
08:12:21:155 0012 wfopen_ex: MyNtCreateFileW error 32
(C0000043)
08:12:21:155 0012 wfopen_ex: Trying to KLMD file open
08:12:21:155 0012 wfopen_ex: File opened ok (Flags 2)
08:12:21:171 0012 wfopen_ex: Trying to open file
C:\Windows\system32\config\software
08:12:21:171 0012 wfopen_ex: MyNtCreateFileW error 32
(C0000043)
08:12:21:171 0012 wfopen_ex: Trying to KLMD file open
08:12:21:171 0012 wfopen_ex: File opened ok (Flags 2)
08:12:21:172 0012 Initialize success
08:12:21:172 0012
08:12:21:172 0012 Scanning Services ...
08:12:22:034 0012 Raw services enum returned 417
services
08:12:22:048 0012
08:12:22:049 0012 Scanning Kernel memory ...
08:12:22:049 0012 Devices to scan: 1
08:12:22:049 0012
08:12:22:049 0012 Driver Name: atapi
08:12:22:049 0012 IRP_MJ_CREATE :
851A5AC8
08:12:22:049 0012 IRP_MJ_CREATE_NAMED_PIPE
: 851A5AC8
08:12:22:049 0012 IRP_MJ_CLOSE :
851A5AC8
08:12:22:050 0012 IRP_MJ_READ :
851A5AC8
08:12:22:050 0012 IRP_MJ_WRITE :
851A5AC8
08:12:22:050 0012 IRP_MJ_QUERY_INFORMATION
: 851A5AC8
08:12:22:050 0012 IRP_MJ_SET_INFORMATION
: 851A5AC8
08:12:22:050 0012 IRP_MJ_QUERY_EA :
851A5AC8
08:12:22:050 0012 IRP_MJ_SET_EA :
851A5AC8
08:12:22:050 0012 IRP_MJ_FLUSH_BUFFERS
: 851A5AC8
08:12:22:050 0012
IRP_MJ_QUERY_VOLUME_INFORMATION : 851A5AC8
08:12:22:050 0012
IRP_MJ_SET_VOLUME_INFORMATION : 851A5AC8
08:12:22:050 0012 IRP_MJ_DIRECTORY_CONTROL
: 851A5AC8
08:12:22:050 0012 IRP_MJ_FILE_SYSTEM_CONTROL
: 851A5AC8
08:12:22:050 0012 IRP_MJ_DEVICE_CONTROL
: 851A5AC8
08:12:22:050 0012
IRP_MJ_INTERNAL_DEVICE_CONTROL : 851A5AC8
08:12:22:050 0012 IRP_MJ_SHUTDOWN :
851A5AC8
08:12:22:050 0012 IRP_MJ_LOCK_CONTROL :
851A5AC8
08:12:22:050 0012 IRP_MJ_CLEANUP :
851A5AC8
08:12:22:050 0012 IRP_MJ_CREATE_MAILSLOT
: 851A5AC8
08:12:22:050 0012 IRP_MJ_QUERY_SECURITY
: 851A5AC8
08:12:22:050 0012 IRP_MJ_SET_SECURITY :
851A5AC8
08:12:22:050 0012 IRP_MJ_POWER :
851A5AC8
08:12:22:050 0012 IRP_MJ_SYSTEM_CONTROL
: 851A5AC8
08:12:22:050 0012 IRP_MJ_DEVICE_CHANGE
: 851A5AC8
08:12:22:050 0012 IRP_MJ_QUERY_QUOTA :
851A5AC8
08:12:22:050 0012 IRP_MJ_SET_QUOTA :
851A5AC8
08:12:22:050 0012 Driver "atapi" infected by TDSS rootkit!
08:12:22:073 0012
C:\Windows\system32\drivers\atapi.sys - Verdict: 1
08:12:22:073 0012 File
"C:\Windows\system32\drivers\atapi.sys" infected by TDSS
rootkit ... 08:12:22:073 0012 Processing driver file:
C:\Windows\system32\drivers\atapi.sys
08:12:22:663 0012 vfvi6
08:12:22:793 0012 dsvbh1
08:12:23:354 0012 fdfb1
08:12:23:354 0012 Backup copy found, using it..
08:12:23:363 0012 will be cured on next reboot
08:12:23:365 0012 Reboot required for cure complete..
08:12:23:374 0012 Cure on reboot scheduled successfully
08:12:23:374 0012
08:12:23:374 0012 Completed
08:12:23:375 0012
08:12:23:375 0012 Results:
08:12:23:375 0012 Memory objects infected / cured /
cured on reboot: 1 / 0 / 0
08:12:23:376 0012 Registry objects infected / cured /
cured on reboot: 0 / 0 / 0
08:12:23:376 0012 File objects infected / cured / cured on
reboot: 1 / 0 / 1
08:12:23:376 0012
08:12:23:376 0012 fclose_ex: Trying to close file
C:\Windows\system32\config\system
08:12:23:377 0012 fclose_ex: Trying to close file
C:\Windows\system32\config\software
08:12:23:377 0012 UnloadDriverW: NtUnloadDriver error 1
08:12:23:379 0012 KLMD(ARK) unloaded successfully


Report •

#27
April 17, 2010 at 08:50:54
Are you still being redirected?

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your Nortons antivirus, Windows Defender, and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#28
April 17, 2010 at 09:40:56
ok so cobofix will not run the scan because the blu screen pops
up with an error


Report •

#29
April 17, 2010 at 09:45:43
scratch that i put it on face book for a lack of better know how
to show you
http://www.facebook.com/photo.php?p...

Report •

#30
April 17, 2010 at 09:49:37
Are you still being redirected?

Report •

#31
April 17, 2010 at 21:31:16
not being redirected but i am getting pop ups and im using safari is that normal

Report •

#32
April 18, 2010 at 02:52:38
mmm - coming in briefly on this one as it's not my area of knowlege by any means.. But "jabuck's" info does seem to have been pretty intensive - to his/her credit too.

Meanwhile... While running any/all of the clean out routines as above (not at familiar with Combofix - what exactly is it) - might it not useful to disable System Restore until the problems/pests have been eliminated on this occasion? i.e. Once googl redirect has been resolved, and full malware/virus scan completed too..., then reboot and re-enable System Restore?

Disabling SR will prevent any residuals being re-installed/replaced that were noted to be missing by System Restore (SR) and deemed to be essenital - and thus "restored" by SR...?


Report •

#33
April 18, 2010 at 08:06:28
Download GMER from the following location and save it to your desktop.

GMER.exe


1. Right-click on the gmer.zip icon and select the Extract all
You will be shown a screen asking how you would like to extract the file. Just keep pressing the Next button until you ge to the last screen and then press the Finish button to finish the extraction process. The GMER folder should automatically open and you will see that it contains the file called gmer.exe.

2. Please double-click on the gmer.exe program. Once you double-click the icon a Windows security warning may appear asking if you are sure you would like to run the program. If this warning appears, please click on the Run button to allow GMER to start. If no warning appeared then you should just continue with the guide.

3. You will now see the main GMER window. If it gives you a warning about rootkit activity and asks if you want to run a full scan, please click on the NO button. We now need to configure GMER to not use some settings. Please uncheck the following settings that we do not want in our scan.
•Sections
•IAT/EAT
•Drives/Partition other than Systemdrive, which is typically C:\
•Show All (This is important, so do not miss it.)

4. Click on the Scan button to scan your computer for rootkits. This may take a while, so please be patient.

5. You now need need to save the rootkit scan report to your Desktop by clicking on the Save botton. A screen will open asking where you would like to save the report. Choose to save it to the desktop then in the file name field type help.txt

Finally, press the Save button to save the report to your desktop then post the results.

Please do not act on any of the information you find in this report as many legitimate programs could be listed in it.


Report •

#34
April 19, 2010 at 06:46:31
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-19 06:46:22
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver:
C:\Users\first\AppData\Local\Temp\uxldypod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ZwCreateProcessEx [0x8D82350A]
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ZwCreateSection [0x8D82332E]
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ZwLoadDriver [0x8D823468]
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs
aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)
AttachedDevice \Driver\tdx \Device\Udp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat
fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft
Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0
851E2AC8

---- Files - GMER 1.0.15 ----

File
C:\Windows\System32\config\systemprofile\AppData\Local\
Microsoft\Windows\Temporary Internet
Files\Content.IE5\X4GW9970\realtor_com[1].htm 0 bytes
File C:\Windows\system32\drivers\atapi.sys
suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

#35
April 19, 2010 at 19:01:02
Do you have a windows cd or a reinstallation cd as we may need it to replace a system file.

Download SystemLook.exe from the following link.


SystemLook.exe


1. Double-click SystemLook.exe to run it.
2. Copy the content of the following code between the X's into the main textfield:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
:filefind
atapi*
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
3. Click the Look button to start the scan.
4. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Report •

#36
April 19, 2010 at 20:15:04
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:09 on 19/04/2010 by first (Administrator -
Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\Windows\ERDNT\cache\atapi.sys --a--- 21560 bytes
[04:44 09/04/2010] [02:21 21/01/2008]
2D9C903DC76A66813D350A562DE40ED9
C:\Windows\SoftwareDistribution\Download\cde11068f5b77b
180111333ef9781925\x86_mshdc.inf_31bf3856ad364e35_6.0
.6002.18005_none_df23a1261eab99e8\atapi.sys --a---
19944 bytes [05:38 02/04/2010] [06:32 11/04/2009]
1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf
_c6c2e699\atapi.sys --a--- 19048 bytes [10:25
02/11/2006] [09:49 02/11/2006]
4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf
_cc18792d\atapi.sys --a--- 21560 bytes [02:21
21/01/2008] [02:21 21/01/2008]
2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.svs --a--- 21560
bytes [02:21 21/01/2008] [02:21 21/01/2008]
2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 21560
bytes [02:21 21/01/2008] [16:08 17/04/2010]
2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.
6001.18000_none_dd38281a2189ce9c\atapi.sys --a---
21560 bytes [02:21 21/01/2008] [02:21 21/01/2008]
2D9C903DC76A66813D350A562DE40ED9

-=End Of File=
i dont have a reinstallation cd
so all this stuff is effecting my computer
you mind telling me what you think is going on with my
computer im going to be getting into the programming field
soon when i get out of the usmc


Report •

#37
April 20, 2010 at 03:52:05
You have an infected system file.

Run this batch file in safe mode:

Let's create a batch file:
Open Notepad
Copy and paste the following text between the X's:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@echo off
cd C:\
copy C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
cd C:\windows\system32\drivers
copy C:\atapi.sys atapi.sys
exit
del %0

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Change "Save as type" to All Files
Save it as fix.bat to the desktop
Locate the file on your desktop and double click it.
The file should delete itself after use.


Then re-run Gmer and post the results.


Report •

#38
April 22, 2010 at 11:30:32
hey i ran the file that was named fix.bat
and tried to run gmer like 3 times and it completely freezes my
computer and it just wont do anything
i feel hopeless

Report •

#39
April 22, 2010 at 14:07:38
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-22 14:03:05
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver:
C:\Users\first\AppData\Local\Temp\uxldypod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ZwCreateProcessEx [0x8D83350A]
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ZwCreateSection [0x8D83332E]
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ZwLoadDriver [0x8D833468]
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS
(avast! self protection module/ALWIL Software)
ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs
aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)
AttachedDevice \Driver\tdx \Device\Udp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat
fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft
Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0
851E2AC8

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys
suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

#40
April 22, 2010 at 14:10:37
So you ran the batch and besides Gmer not running will windows boot a run? Are you using the infected computer to post?

Report •

#41
April 22, 2010 at 19:21:18
i got gmer to run and posted it ^ yes i am using infected
computer to post, sorry only option

Report •

#42
April 22, 2010 at 20:12:18
Ok lets try it a different way.

Remember go offline..your Nortons or Avira antivirus, Windows Defender, and Ad-Aware and any other realtime antispyware programs that you may have must be turned off or disabled before running ComboFix.


Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Fcopy::
FCOPY::
C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys | c:\windows\system32\drivers\atapi.sys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Restart your protection.

Lets me know if the pop-ups stop.


Report •

#43
April 23, 2010 at 10:02:12
ComboFix 10-04-21.01 - first 04/23/2010 9:48.7.2 - x86
Microsoft® Windows Vista™ Ultimate
6.0.6001.1.1252.1.1033.18.2550.1584 [GMT -7:00]
Running from: c:\users\first\Desktop\ComboFix.exe
Command switches used :: c:\users\first\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\partmgr.sys
was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-
04-23 )))))))))))))))))))))))))))))))
.

2010-04-23 16:55 . 2010-04-23 16:55 -------- d-----w-
c:\users\first\AppData\Local\temp
2010-04-23 16:55 . 2010-04-23 16:55 -------- d-----w-
c:\users\Public\AppData\Local\temp
2010-04-23 16:55 . 2010-04-23 16:55 -------- d-----w-
c:\users\Default\AppData\Local\temp
2010-04-21 18:50 . 2010-04-21 18:50 -------- d-----w-
c:\programdata\WindowsSearch
2010-04-16 03:59 . 2010-04-16 03:59 -------- d-----w-
c:\program files\ESET
2010-04-15 13:36 . 2010-03-04 18:54 430080 ----a-w-
c:\windows\system32\vbscript.dll
2010-04-15 13:36 . 2010-02-23 11:32 212992 ----a-w-
c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 13:36 . 2010-02-23 11:32 78848 ----a-w-
c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 13:36 . 2010-02-23 11:32 105984 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 13:36 . 2010-02-18 14:49 898952 ----a-w-
c:\windows\system32\drivers\tcpip.sys
2010-04-15 13:36 . 2010-02-18 14:11 190464 ----a-w-
c:\windows\system32\iphlpsvc.dll
2010-04-15 13:36 . 2010-02-18 11:52 25088 ----a-w-
c:\windows\system32\drivers\tunnel.sys
2010-04-15 13:36 . 2010-02-18 14:49 3598216 ----a-w-
c:\windows\system32\ntkrnlpa.exe
2010-04-15 13:36 . 2010-02-18 14:49 3545992 ----a-w-
c:\windows\system32\ntoskrnl.exe
2010-04-15 13:36 . 2009-12-23 12:43 171520 ----a-w-
c:\windows\system32\wintrust.dll
2010-04-15 13:36 . 2010-01-15 00:04 98304 ----a-w-
c:\windows\system32\cabview.dll
2010-04-15 03:55 . 2009-05-18 20:17 26600 ----a-w-
c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-15 03:55 . 2008-04-17 19:12 107368 ----a-w-
c:\windows\system32\GEARAspi.dll
2010-04-15 03:54 . 2010-04-15 03:54 -------- d-----w-
c:\program files\iPod
2010-04-15 03:54 . 2010-04-15 03:55 -------- d-----w-
c:\programdata\{429CAD59-35B1-4DBC-BB6D-
1DB246563521}
2010-04-15 03:53 . 2010-04-15 03:53 -------- d-----w-
c:\program files\QuickTime
2010-04-15 03:53 . 2010-04-15 03:53 -------- d-----w-
c:\program files\Apple Software Update
2010-04-15 03:51 . 2010-04-15 03:51 -------- d-----w-
c:\program files\Bonjour
2010-04-11 19:52 . 2010-04-14 16:35 162768 ----a-w-
c:\windows\system32\drivers\aswSP.sys
2010-04-11 19:52 . 2010-04-14 16:31 19024 ----a-w-
c:\windows\system32\drivers\aswFsBlk.sys
2010-04-11 19:52 . 2010-04-14 16:31 23376 ----a-w-
c:\windows\system32\drivers\aswRdr.sys
2010-04-11 19:52 . 2010-04-14 16:35 46672 ----a-w-
c:\windows\system32\drivers\aswTdi.sys
2010-04-11 19:52 . 2010-04-14 16:31 51792 ----a-w-
c:\windows\system32\drivers\aswMonFlt.sys
2010-04-11 19:51 . 2010-04-14 16:47 38848 ----a-w-
c:\windows\system32\avastSS.scr
2010-04-11 19:51 . 2010-04-14 16:47 153184 ----a-w-
c:\windows\system32\aswBoot.exe
2010-04-10 00:20 . 2010-04-10 00:20 -------- d-----w-
c:\program files\AVG
2010-04-08 18:08 . 2010-04-08 18:08 598368 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-08 04:23 . 2010-04-09 23:45 15944 ----a-w-
c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 04:21 . 2010-04-08 04:21 -------- d-----w-
c:\programdata\Hitman Pro
2010-04-08 04:21 . 2010-04-08 04:21 -------- d-----w-
c:\program files\Hitman Pro 3.5
2010-04-08 03:11 . 2010-04-11 19:55 -------- d-----w-
c:\programdata\Norton
2010-04-08 03:11 . 2010-04-10 05:06 -------- d-----w-
c:\programdata\NortonInstaller
2010-04-08 00:47 . 2010-04-08 00:47 125952 ----a-w-
c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-04-08 00:47 . 2010-04-08 03:35 3566112 --sha-w-
c:\windows\system32\drivers\fidbox.dat
2010-04-08 00:37 . 2010-04-10 00:07 -------- d-----w-
c:\programdata\ParetoLogic
2010-04-08 00:37 . 2010-04-10 00:07 -------- d-----w-
c:\program files\Common Files\ParetoLogic
2010-04-08 00:35 . 2010-04-08 00:35 -------- d-----w-
c:\users\first\AppData\Local\Downloaded Installations
2010-04-08 00:02 . 2010-04-08 00:02 -------- d-----w-
c:\programdata\FrontLine Registry Cleaner
2010-04-08 00:02 . 2010-04-08 00:02 -------- d-----w-
c:\program files\FrontLine
2010-04-07 17:05 . 2010-04-07 17:09 680 ----a-w-
c:\users\first\AppData\Local\d3d9caps.dat
2010-04-07 04:48 . 2010-04-07 04:48 -------- d-----w-
c:\users\first\AppData\Roaming\Malwarebytes
2010-04-07 04:48 . 2010-04-07 04:48 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2010-04-07 04:48 . 2010-04-07 04:48 -------- d-----w-
c:\programdata\Malwarebytes
2010-04-07 04:25 . 2010-04-07 04:25 -------- d-----w-
c:\programdata\Alwil Software
2010-04-07 04:25 . 2010-04-07 04:25 -------- d-----w-
c:\program files\Alwil Software
2010-04-07 04:20 . 2010-04-07 04:20 -------- d-----w-
c:\program files\Trend Micro
2010-04-07 03:50 . 2010-04-07 23:38 -------- d-----w-
c:\users\first\AppData\Local\temp(42)
2010-04-06 17:09 . 2010-04-06 17:09 -------- d-----w-
c:\users\first\AppData\Local\Microsoft Games
2010-04-06 00:26 . 2010-04-06 15:47 -------- d-----w-
c:\program files\QuickTime(31)
2010-04-05 18:08 . 2010-04-08 18:08 966104 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-05 18:08 . 2010-04-05 18:08 849744 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\Ad-
AwareCommand.exe
2010-04-05 18:08 . 2010-04-05 18:08 855864 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\Ad-
AwareAdmin.exe
2010-04-05 18:08 . 2010-04-05 18:08 1597952 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-05 18:08 . 2010-04-05 18:08 818256 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-05 18:08 . 2010-04-08 18:08 1265264 ----a-w-
c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-30 15:21 . 2006-10-27 02:56 33104 ----a-w-
c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-03-30 15:21 . 2006-10-27 02:56 32592 ----a-w-
c:\windows\system32\msonpmon.dll
2010-03-30 15:16 . 2010-03-30 15:16 -------- d-----w-
c:\program files\Microsoft Works
2010-03-30 15:14 . 2010-03-30 15:14 -------- d-----w-
c:\windows\PCHEALTH
2010-03-30 15:14 . 2010-03-30 15:14 -------- d-----w-
c:\program files\Microsoft.NET
2010-03-30 15:11 . 2010-03-30 15:11 -------- d-----w-
c:\program files\Microsoft Visual Studio 8
2010-03-30 15:10 . 2010-03-30 15:10 -------- d-----w-
c:\users\first\AppData\Local\Microsoft Help
2010-03-30 15:10 . 2010-03-30 15:22 -------- d-----w-
c:\programdata\Microsoft Help
2010-03-30 15:06 . 2010-03-30 15:06 -------- d-----r-
C:\MSOCache
2010-03-30 14:12 . 2010-04-15 13:33 -------- d-----w-
c:\users\first\AppData\Roaming\vlc
2010-03-30 14:01 . 2010-03-30 14:01 -------- d-----w-
c:\program files\VideoLAN
2010-03-30 05:01 . 2008-06-20 01:14 97800 ----a-w-
c:\windows\system32\infocardapi.dll
2010-03-30 05:01 . 2008-06-20 01:14 43544 ----a-w-
c:\windows\system32\PresentationHostProxy.dll
2010-03-30 05:01 . 2008-06-20 01:14 105016 ----a-w-
c:\windows\system32\PresentationCFFRasterizerNative_v03
00.dll
2010-03-30 05:01 . 2008-06-20 01:14 11264 ----a-w-
c:\windows\system32\icardres.dll
2010-03-30 05:01 . 2008-06-20 01:14 622080 ----a-w-
c:\windows\system32\icardagt.exe
2010-03-30 05:01 . 2008-06-20 01:14 781344 ----a-w-
c:\windows\system32\PresentationNative_v0300.dll
2010-03-30 05:01 . 2008-06-20 01:14 326160 ----a-w-
c:\windows\system32\PresentationHost.exe
2010-03-30 04:54 . 2008-07-27 18:03 96760 ----a-w-
c:\windows\system32\dfshim.dll
2010-03-30 04:54 . 2008-07-27 18:03 282112 ----a-w-
c:\windows\system32\mscoree.dll
2010-03-30 04:54 . 2008-07-27 18:03 41984 ----a-w-
c:\windows\system32\netfxperf.dll
2010-03-30 04:54 . 2008-07-27 18:03 158720 ----a-w-
c:\windows\system32\mscorier.dll
2010-03-30 04:54 . 2008-07-27 18:03 83968 ----a-w-
c:\windows\system32\mscories.dll
2010-03-30 04:53 . 2010-02-20 23:39 24064 ----a-w-
c:\windows\system32\nshhttp.dll
2010-03-30 04:53 . 2010-02-20 23:37 31232 ----a-w-
c:\windows\system32\httpapi.dll
2010-03-30 04:53 . 2010-02-20 21:18 411136 ----a-w-
c:\windows\system32\drivers\http.sys
2010-03-30 03:30 . 2010-04-16 02:28 -------- d-----w-
c:\users\first\Movie
2010-03-29 18:36 . 2010-04-05 18:09 15880 ----a-w-
c:\windows\system32\lsdelete.exe
2010-03-29 18:08 . 2010-02-04 15:53 64288 ----a-w-
c:\windows\system32\drivers\Lbd.sys
2010-03-29 17:57 . 2010-03-29 17:57 -------- dc-h--w-
c:\programdata\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}
2010-03-29 17:57 . 2010-02-04 15:53 2954656 -c--a-w-
c:\programdata\{74D08EB8-01D1-4BAE-91E3-
F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-29 17:56 . 2010-03-29 18:08 -------- d-----w-
c:\programdata\Lavasoft
2010-03-29 17:56 . 2010-03-29 17:57 -------- d-----w-
c:\program files\Lavasoft
2010-03-29 17:33 . 2010-04-15 03:55 -------- dc----w-
c:\windows\system32\DRVSTORE
2010-03-29 17:32 . 2010-04-15 03:55 -------- d-----w-
c:\program files\iTunes
2010-03-29 17:32 . 2010-03-29 17:33 -------- d-----w-
c:\programdata\{755AC846-7372-4AC8-8550-
C52491DAA8BD}
2010-03-29 16:38 . 2010-04-16 02:28 -------- d-----w-
c:\users\first\AppData\Roaming\uTorrent
2010-03-29 16:23 . 2008-06-26 01:45 12240896 ----a-w-
c:\windows\system32\NlsLexicons0007.dll
2010-03-29 16:23 . 2008-06-26 01:45 2644480 ----a-w-
c:\windows\system32\NlsLexicons0009.dll
2010-03-29 16:23 . 2008-06-26 03:29 801280 ----a-w-
c:\windows\system32\NaturalLanguage6.dll
2010-03-29 16:19 . 2009-07-11 19:32 293376 ----a-w-
c:\windows\system32\wlanmsm.dll
2010-03-29 16:18 . 2009-08-31 13:55 428544 ----a-w-
c:\windows\system32\EncDec.dll
2010-03-29 16:17 . 2009-03-17 03:38 13824 ----a-w-
c:\windows\system32\apilogen.dll
2010-03-29 16:16 . 2009-12-28 12:35 11776 ----a-w-
c:\windows\system32\tsbyuv.dll
2010-03-29 16:11 . 2010-02-24 17:16 181632 ------w-
c:\windows\system32\MpSigStub.exe
2010-03-29 05:06 . 2010-03-29 04:11 -------- d-----w-
c:\windows\Panther
2010-03-29 05:05 . 2010-04-17 16:07 -------- d-----w-
C:\Boot
2010-03-29 04:21 . 2010-03-29 04:21 -------- d-----w-
c:\windows\system32\Macromed
2010-03-29 04:19 . 2010-04-02 14:21 -------- d-----w-
c:\users\first\AppData\Roaming\Apple Computer
2010-03-29 04:19 . 2010-03-31 14:39 -------- d-----w-
c:\users\first\AppData\Local\Apple Computer
2010-03-29 04:19 . 2010-04-07 04:19 -------- d-----w-
c:\program files\Safari
2010-03-29 04:19 . 2010-03-29 17:32 -------- d-----w-
c:\programdata\Apple Computer
2010-03-29 04:18 . 2010-04-15 03:54 -------- d-----w-
c:\program files\Common Files\Apple
2010-03-29 04:18 . 2010-03-29 04:18 -------- d-----w-
c:\users\first\AppData\Local\Apple
2010-03-29 04:17 . 2010-03-30 03:43 -------- d-----w-
c:\programdata\Apple
2010-03-29 04:17 . 2010-04-15 03:55 -------- d-sh--w-
c:\windows\Installer
2010-03-29 04:14 . 2009-08-07 02:24 44768 ----a-w-
c:\windows\system32\wups2.dll
2010-03-29 04:14 . 2009-08-07 02:24 53472 ----a-w-
c:\windows\system32\wuauclt.exe
2010-03-29 04:14 . 2009-08-07 02:23 1929952 ----a-w-
c:\windows\system32\wuaueng.dll
2010-03-29 04:14 . 2009-08-07 01:45 2421760 ----a-w-
c:\windows\system32\wucltux.dll
2010-03-29 04:14 . 2009-08-07 02:24 35552 ----a-w-
c:\windows\system32\wups.dll
2010-03-29 04:14 . 2009-08-07 02:23 575704 ----a-w-
c:\windows\system32\wuapi.dll
2010-03-29 04:14 . 2009-08-07 01:44 87552 ----a-w-
c:\windows\system32\wudriver.dll
2010-03-29 04:14 . 2009-08-07 02:23 171608 ----a-w-
c:\windows\system32\wuwebv.dll
2010-03-29 04:14 . 2009-08-07 01:44 33792 ----a-w-
c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 06:23 . 2008-01-21 02:22 56376 ----a-w-
c:\windows\system32\drivers\partmgr.sys
2010-04-17 16:08 . 2008-01-21 02:21 21560 ----a-w-
c:\windows\system32\drivers\atapi.sys
2010-04-08 00:47 . 2010-04-08 00:47 32 --sha-w-
c:\windows\system32\drivers\fidbox.idx
2010-04-06 13:57 . 2010-04-06 13:55 112 ----a-w-
c:\programdata\2Rpgg0Q.dat
2010-04-05 15:17 . 2010-04-05 15:17 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.
Wdf
2010-03-30 15:16 . 2006-11-02 12:35 -------- d-----w-
c:\program files\MSBuild
2010-03-30 13:32 . 2006-11-02 11:18 -------- d-----w-
c:\program files\Windows Mail
2010-03-30 13:31 . 2006-11-02 10:25 665600 ----a-w-
c:\windows\inf\drvindex.dat
2010-03-30 03:43 . 2010-03-30 03:43 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_
00.Wdf
2010-03-09 16:28 . 2010-03-30 23:56 833024 ----a-w-
c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 23:56 78336 ----a-w-
c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 23:56 26624 ----a-w-
c:\windows\system32\ieUnatt.exe
2010-03-04 11:00 . 2010-03-04 11:00 79144 ----a-w-
c:\programdata\Apple Computer\Installer Cache\Safari
5.31.22.7\SetupAdmin.exe
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w-
c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w-
c:\windows\system32\dns-sd.exe
2010-01-25 12:48 . 2010-03-29 16:17 472576 ----a-w-
c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-03-29 16:17 151040 ----a-w-
c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-03-29 16:17 151040 ----a-w-
c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-03-29 16:17 472064 ----a-w-
c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-03-29 16:17 329216 ----a-w-
c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-03-29 16:17 346624 ----a-w-
c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-03-29 16:17 523776 ----a-w-
c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-03-29 16:17 511488 ----a-w-
c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-03-29 16:17 347136 ----a-w-
c:\windows\system32\RMActivate_ssp.exe
2008-04-09 23:35 . 2008-04-09 23:35 8192 --sha-w-
c:\windows\Users\Default\NTUSER.DAT
.
[code]

c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows
Defender\MSASCui.exe" [2008-01-21 1008184]
"GrooveMonitor"="c:\program files\Microsoft
Office\Office12\GrooveMonitor.exe" [N/A]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-
04-14 2790472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe"
[2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[2010-03-26 142120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curre
ntversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\WinDefend]
@="Service"

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe
[2010-04-08 1265264]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-
02-04 64288]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2
aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMon
Flt.sys [2010-04-14 51792]


[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{7CAFE3C5-84BF-48E5-B26F-
69A69A56C4B9}]
yzud.dll [N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-
{9F8C095C-013A-464E-BA8E-668C5D90767D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:23]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-klmdb.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-OEMInformation - c:\windows\oem_uninst.exe

**********************************************************************
****

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 09:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**********************************************************************
****

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services
\atapi]
"ImagePath"="system32\drivers\tskCEAA.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-23 09:58:48
ComboFix-quarantined-files.txt 2010-04-23 16:58

Pre-Run: 60,466,630,656 bytes free
Post-Run: 60,587,184,128 bytes free

- - End Of File - - B218973D9FDD22217E115F9C9DBB7E52


Report •

#44
April 23, 2010 at 10:05:13
it seems pop ups are gone and redirect is gone as well so far
its been 20 min of google searches and no direct what do you
think was causing it and why was it so hard to destroy

Report •

#45
April 23, 2010 at 19:14:56

Iwas the system file we deleted and reinstalled.

Delete DDS from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Yes, run this cleaner also.

Please download TFC by Old Timer from the following link and save it to your desktop.

TFC by Old Timer



1. Save any unsaved work. TFC will close ALL open programs including your browser

2. Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.

3. Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

4. Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#46
April 23, 2010 at 22:52:47
"jabuck"

I think you derserve a gold star for this one... A lot of time, persistance - and more than a little know how/what to do involved too... I learned a lot from this one myself...

My compliments to you!


Report •

#47
April 24, 2010 at 11:01:49
Ok so my computer is running great all last night l woke up
this morning and read your final instructions, the second
cleaner ran and instructed a restart and so I did
now my computer will not run windows it gives this error
\windows\system32\drivers\tskCEAA.tmp
windows failed to load because a critical system driver is
missing or currupt
oh and I don't have the installation disk so I can't go through
the steps my copmuter is teling me to

Sorry and thanks for your continueing to help me


Report •

#48
April 24, 2010 at 17:35:53
Please post the steps the computer is asking you to go through or just a brief description.

Report •

#49
April 24, 2010 at 18:53:18
windows failed to start. a recent hardware or software change
might be the cause. to fix the problem:
1 insert windows installation disk and restart computer
2 choose your language
3 click "repair your computer"
if you do not have your disk contact system administrator or
computer manufacturer for assistance

file: \windows\system32\drivers\tskceaa.tmp

status: pzc000000f
info: windows failed to load because a critical system driver
is missing or currupt

ok thats the first screen
second screen offers to run microsoft windows vista in which
i choose and it goes back to the first screen

the second is to press tab for menu in which you can choose
diagnostics
and last i can press esc and get the options that i have seen
before in which those are normal mode safe mode last good
config etc


Report •

#50
April 24, 2010 at 19:51:03
Choose "last known good configuration" and see if it will reboot.

Report •

#51
April 24, 2010 at 21:16:05
Nope nothing it just goes back to that screen

Report •

#52
April 25, 2010 at 16:11:57
It looks like a corrupt registry, but lets look for a file first.

When you ran Combofix an access to the recover console was created so that you could recovery system files on the computer.

Shut down the computer> wait 30 seconds> restart the computer> a brief option screen will appear (so be ready) with two options to boot from:


Recovery console
Windows Vista

Quickly click recovery console.

It will now boot to the recovery console with only a command prompt.

We want to look for this file "atapi.sys" to verify thta it exist so once you typt in dir /p you will be able to scroll through the folder one page at the time. At the command prompt type the following one line ant the time and press enter after each line.(note: there is a space after cd and dir that is needed)


cd c:\
cd windows
cd system32
cd drivers
dir /p


Once you finish looking for the file type exit then press enter to exit

Let me know if you find the atapi.sys file.


Report •

#53
April 25, 2010 at 18:49:31
Big problem the only screen I see comes up as windows boot
manager
the gives Microsoft windows vista an that's it the you can
press tab and choose windows memory diagnostic

Report •

#54
April 25, 2010 at 19:30:02
This file "tskceaa.tmp" has nothing to do with windows. I suspect that this was installed by the virus and has routed access to to the drivers file through itself with a .tmp file so that when the .tmp file was removed the access to the atapi.sys file was severed. We could probably solve this with a windows cd or by system restore.

If you still have the option to "repair" the computer as you said you had in response # 49 run the repair.


Report •

#55
April 25, 2010 at 19:35:54
That's iff you have the cd and I don't remember am I completly
Out of luck

Report •

#56
April 25, 2010 at 20:24:17
No, there are several other options but it is late for me and I have to call it a day very shortly. I have a long day tomorrow but should be in about 8:30. We can download a boot cd then that will run on your computer.

Report •

#57
April 25, 2010 at 20:35:37
Ok thank you I do have a mac and a external hardrive so I'm
ready to go thanks again man

Report •

#58
April 26, 2010 at 15:16:46
You will need a flash drive to move information from the infected computer to a working computer, so we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Two programs to download

First

a. Download ISOBurner fom this link.

ISO Burner


b. For ISOBurner Instructions read the following link.

Burner Instructions

. Install the program, and follow the next set of steps.

Second

a. Download OLTPE.iso from this link

OTLPE.iso


b. Burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
c. When downloaded double click and this will then open ISOBurner to burn the file to CD
d. Boot the Non working computer using the boot CD you just created.
e. In order to do so, the computer must be set to boot from the CD first

f. Your system should now display a REATOGO-X-PE desktop.
g. Double-click on the OTLPE icon.
h. When asked "Do you wish to load the remote registry", select Yes
i. When asked "Do you wish to load remote user profile(s) for scanning", select Yes
j. Ensure the box "Automatically Load All Remaining Users" is checked and press OK
k. OTL should now start. Change the following settings
Change Drivers to All
Change Registry to All
Under the Custom Scan box paste this in.

/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
userinit.exe
explorer.exe
/md5stop
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
%systemroot%\System32\config\*.sav

Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive.
Please post the contents of the C:\OTL.txt file in your reply.


Report •

#59
April 27, 2010 at 18:54:02
ok i did everything and have the disk and i can get to the desktop but when i click on OTLPE i get a brouse for folder box and i go to reatogope and find the folder otlpe and it saystarget is not windows2000 or later

Report •

#60
April 29, 2010 at 07:02:15
ok so here i am again, scratch that report up there.
ok so through the icon OTLPE on the desktop i managed
nothing like i said up there, but when i went to the actual
folder and clicked on the icon, it started and although the
options it gave were simi different than what you said,for
exampleh. When asked "Do you wish to load the remote
registry", select Yes
i. When asked "Do you wish to load remote user profile(s) for
scanning", select Yes
both of these were not asked or there at all as far as i could
see, but the rest were and i copied and pasted the
prescribed commands in the custom scan box and ran the
scan
went well untill the log file at the bottom of the scan box said
, creating log, complete, and so i went to where you said it
would be and no log file and i also did a search on the
computer and found nothing .
so if you would give more instruction it, as always would be
appreciated
thanks

Report •

#61
April 30, 2010 at 19:24:53
I have not abandoned your post. We are working 14 hr days but are suppose to cut back to 11 hr days tomorrow, I'll try to post then.

Report •

#62
May 4, 2010 at 17:29:31
still there computer is still dead
help when you can please

Report •

#63
May 10, 2010 at 17:46:09
Hopefully only a week left of long hrs.

Report •

Ask Question