Google Result Redirect

January 1, 2010 at 10:59:14
Specs: Windows Vista
It seems i picked up that annoying virus that redirects my Google search results. any help Anyone can give me on how to fix this would be greatly appreciated

See More: Google Result Redirect

Report •


#1
January 1, 2010 at 11:21:25
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.


Report •

#2
January 1, 2010 at 12:35:24
Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 6.0.6002 Service Pack 2

1/1/2010 2:22:55 PM
mbam-log-2010-01-01 (14-22-55).txt

Scan type: Quick Scan
Objects scanned: 76504
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#3
January 1, 2010 at 12:36:58
info.txt logfile of random's system information tool 1.06 2010-01-01 14:23:45

======Uninstall list======

-->MsiExec /X{B83FC356-B7C0-441F-8A4D-D71E088E7974}
µTorrent-->"C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware-->"C:\ProgramData\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\ProgramData\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Mobile Device Support-->MsiExec.exe /I{8355F970-601D-442D-A79B-1D7DB4F24CAD}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Baldur's Gate Tutu-->C:\Windows\IsUninst.exe -f"C:\Program Files\BaldursGateTutu\Uninst.isu"
Baldur's Gate(TM) II - Throne of Bhaal (TM)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
Baldur's Gate-->C:\Windows\IsUninst.exe -f"C:\Program Files\Black Isle\Baldur's Gate\Uninst.isu"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Codec Pack - All In 1 6.0.3.0-->C:\Windows\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
Curse Client-->C:\Program Files\Curse\uninstall.exe
DAEMON Tools Toolbar-->C:\Program Files\DAEMON Tools Toolbar\uninst.exe
Dealio Toolbar v4.0-->MsiExec.exe /X{94C3BB3A-56A1-43DE-A242-8B41F46E97EF}
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dragon Age: Origins Character Creator-->"C:\Program Files\Common Files\BioWare\Uninstall Dragon Age Character Creator.exe"
Dragon Age: Origins-->C:\Program Files\Common Files\BioWare\Uninstall Dragon Age.exe
Fallout 3 - The Garden of Eden Creation Kit-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B343B0E3-212A-40B9-8207-1BD299228F5D}\setup.exe" -l0x9 -removeonly
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
Fallout Mod Manager 0.9.15-->"C:\Fallout 3\fomm\uninstall\unins000.exe"
GameSpy Arcade-->C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Icewind Dale - Heart of Winter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{433BF933-81D6-4646-A318-3DE5DB6108F2}\setup.exe"
Icewind Dale II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{588C135F-0B15-4A02-8F2D-04697BE2904E}\setup.exe" -l0x9
Icewind Dale-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{433BF933-81D6-4646-A318-3DE5DB6108F2}\setup.exe"
iTunes-->MsiExec.exe /I{5D601655-6D54-4384-B52C-17EC5385FBBD}
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
LimeWire 4.18.8-->"C:\Program Files\LimeWire\uninstall.exe"
Magic Workstation 0.94f-->"C:\Program Files\Magic Workstation\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Media Player Codec Pack 3.6.0-->C:\Windows\system32\C2MP\Uninst.exe
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{B578C85A-A84C-4230-A177-C5B2AF565B8C}
Microsoft Games for Windows - LIVE-->MsiExec.exe /X{B45FABE7-D101-4D99-A671-E16DA40AF7F0}
Microsoft Halo-->"C:\Program Files\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Mozilla Firefox (3.0.15)-->C:\Users\Administrator\Desktop\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MTG GamePack for Magic Workstation-->"C:\Program Files\Magic Workstation\unins001.exe"
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{B83FC356-B7C0-441F-8A4D-D71E088E7974}
NVIDIA Stereoscopic 3D Driver-->C:\Windows\system32\nvStInst.exe /uninstall /ask
Oblivion - Horse Armor Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
Oblivion mod manager 1.1.12-->"C:\Program Files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe"
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
PeerGuardian 2.0-->"C:\Program Files\PeerGuardian2\unins000.exe"
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Search Settings 1.2.1-->MsiExec.exe /X{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 1.0.1-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

=====HijackThis Backups=====

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = [2008-08-22]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... [2008-08-22]
O2 - BHO: (no name) - {CAD95420-BA9A-4F62-B60A-B9D96B06566F} - C:\Windows\system32\yaywvwtr.dll [2008-08-22]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... [2008-08-22]
O1 - Hosts: ::1 localhost [2008-08-22]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local [2008-08-22]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... [2008-08-22]
O2 - BHO: {6262c7f5-3775-ab1b-6234-f18b14e3cd36} - {63dc3e41-b81f-4326-b1ba-57735f7c2626} - C:\Windows\system32\qfhvga.dll [2008-08-22]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [2008-08-22]
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-08-22]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... [2008-08-22]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... [2008-08-22]
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll [2008-08-22]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [2008-08-22]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... [2008-08-22]
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbxVnMCU.dll,#1 [2008-08-22]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [2008-08-22]
O13 - Gopher Prefix: [2008-08-22]
O3 - Toolbar: Mirar - {A9FFA716-4317-4417-A7E0-7E8A7B2D6BF9} - C:\Windows\system32\wineg75.dll [2008-08-22]
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-08-22]
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd [2008-08-22]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-08-22]
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [2008-08-22]
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-08-22]
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe [2008-08-22]
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-08-22]
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [2008-08-22]
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') [2008-08-22]
O4 - HKLM\..\Run: [{d11efc90-a8da-3598-32ee-3634245f54d5}] C:\Windows\System32\Rundll32.exe "C:\Windows\system32\cxingdenfy.dll" DllStart [2008-08-22]
O4 - HKLM\..\Run: [runner1] C:\Windows\faceback1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 [2008-08-22]
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe [2008-08-22]
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [2008-08-22]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [2008-08-22]
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') [2008-08-22]
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2008-08-22]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-08-22]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll [2008-08-22]
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-22]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL [2008-08-22]
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2008-08-22]
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2008-08-22]
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll [2008-08-22]
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-08-22]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-08-22]
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-08-22]
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [2008-08-22]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g... [2008-08-22]
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" [2008-08-22]
O4 - HKLM\..\Run: [0a7c4339] rundll32.exe "C:\Windows\system32\ymdvtria.dll",a [2008-08-22]
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [2008-08-22]
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll [2008-08-22]
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe [2008-08-22]
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe [2008-08-22]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab [2008-08-22]
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2008-08-22]
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-08-22]
O4 - HKLM\..\Run: [BM094f70a5] Rundll32.exe "C:\Windows\system32\dyfijmnk.dll",s [2008-08-22]
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe [2008-08-22]
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe [2008-08-22]
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') [2008-08-22]
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-08-22]
O2 - BHO: radbanner browser enhancer - {d0778a2b-75b7-94ac-ea6e-2a7331e620c5} - C:\Windows\system32\cxingdenfy.dll [2008-08-22]

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AS: Lavasoft Ad-Watch Live! (disabled)
AS: Windows Defender
AS: SUPERAntiSpyware (disabled)

======System event log======

Computer Name: PatMoore-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 223
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20090715021000.060510-000
Event Type: Error
User:

Computer Name: 26L2233B1-13
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 14
Source Name: Microsoft-Windows-Time-Service
Time Written: 20090715040226.000000-000
Event Type: Warning
User:

Computer Name: 26L2233B1-13
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 13
Source Name: Microsoft-Windows-Time-Service
Time Written: 20090715040226.000000-000
Event Type: Warning
User:

Computer Name: 26L2233B1-13
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 12
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20090715040221.525646-000
Event Type: Error
User:

Computer Name: 26L2233B1-13
Event Code: 263
Message: The service 'ShellHWDetection' may not have unregistered for device event notifications before it was stopped.
Record Number: 11
Source Name: PlugPlayManager
Time Written: 20090715040221.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: PatMoore-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3460322775-3498566274-224670622-500_Classes:
Process 1064 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3460322775-3498566274-224670622-500_CLASSES

Record Number: 75
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090715023114.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: PatMoore-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-3460322775-3498566274-224670622-500:
Process 500 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3460322775-3498566274-224670622-500
Process 1064 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3460322775-3498566274-224670622-500

Record Number: 74
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090715023109.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: PatMoore-PC
Event Code: 1000
Message: Faulting application Fallout3.exe, version 1.6.0.3, time stamp 0x4a147392, faulting module XINPUT1_3.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception code 0xc0000135, fault offset 0x00009cac, process id 0xc04, application start time 0x01ca04f33512548b.
Record Number: 64
Source Name: Application Error
Time Written: 20090715022318.000000-000
Event Type: Error
User:

Computer Name: PatMoore-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 27
Source Name: Microsoft-Windows-WMI
Time Written: 20090715021033.000000-000
Event Type: Error
User:

Computer Name: PatMoore-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 21
Source Name: Microsoft-Windows-Search
Time Written: 20090715021014.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: 26L2233B1-13
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: 26L2233B1-13$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x21c
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715040135.037348-000
Event Type: Audit Success
User:

Computer Name: 26L2233B1-13
Event Code: 4902
Message: The Per-user audit policy table was created.

Number of Elements: 0
Policy ID: 0x11d55d
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715040124.850483-000
Event Type: Audit Success
User:

Computer Name: 26L2233B1-13
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x4
Process Name:

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715040122.058065-000
Event Type: Audit Success
User:

Computer Name: 26L2233B1-13
Event Code: 4608
Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715040122.042465-000
Event Type: Audit Success
User:

Computer Name: 26L2233B1-13
Event Code: 4634
Message: An account was logged off.

Subject:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x1f2f0

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080121025830.171200-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
"PROCESSOR_REVISION"=4303
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------


Report •

Related Solutions

#4
January 1, 2010 at 12:39:27
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-01-01 14:23:37
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 105 GB (22%) free of 477 GB
Total RAM: 2046 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:44 PM, on 1/1/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Users\Administrator\Desktop\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll
O3 - Toolbar: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\System32\nvSCPAPISvr.exe

--
End of file - 5225 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\User_Feed_Synchronization-{83038BE6-5EBC-4B6A-850B-0FE370D349D0}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}]
Dealio Toolbar - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll [2009-04-09 688128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
SearchSettings Class - C:\Program Files\Search Settings\kb128\SearchSettings.dll [2009-04-09 1091584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - Dealio Toolbar - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll [2009-04-09 688128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-06-10 13785632]
"SearchSettings"=C:\Program Files\Search Settings\SearchSettings.exe [2009-04-09 970240]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"=oobefldr.dll,ShowWelcomeCenter []
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-06-23 1830128]
"CurseClient"=C:\Program Files\Curse\CurseClient.exe [2009-06-08 1934336]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6717b4-70f3-11de-b095-806e6f6e6963}]
shell\AutoRun\command - E:\baldur.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51f1493f-bc47-11de-a276-001fc6a441bc}]
shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95bfc566-a4b8-11de-8044-001fc6a441bc}]
shell\AutoRun\command - G:\autorun.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-01-01 14:23:37 ----D---- C:\rsit
2010-01-01 13:29:34 ----D---- C:\Windows\pss
2010-01-01 01:07:37 ----D---- C:\Program Files\DominateGame
2009-12-19 14:51:14 ----D---- C:\Users\Administrator\AppData\Roaming\Search Settings
2009-12-15 15:31:41 ----HD---- C:\Windows\PIF
2009-12-14 22:16:18 ----D---- C:\Program Files\Mozilla Firefox
2009-12-14 22:14:51 ----D---- C:\ProgramData\b17c51d

======List of files/folders modified in the last 1 months======

2010-01-01 14:23:44 ----D---- C:\Windows\Prefetch
2010-01-01 14:10:14 ----D---- C:\Windows\system32\catroot2
2010-01-01 14:09:18 ----D---- C:\Windows\System32
2010-01-01 14:09:18 ----D---- C:\Windows\inf
2010-01-01 14:09:18 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-01-01 14:03:16 ----D---- C:\World Of Warcraft
2010-01-01 14:03:16 ----D---- C:\Program Files\Curse
2010-01-01 14:01:59 ----D---- C:\ProgramData\NVIDIA
2010-01-01 14:01:28 ----D---- C:\Windows\winsxs
2010-01-01 14:01:27 ----D---- C:\Windows\system32\Msdtc
2010-01-01 14:01:23 ----D---- C:\Windows\system32\wbem
2010-01-01 14:01:23 ----D---- C:\Windows
2010-01-01 13:57:05 ----D---- C:\Windows\system32\config
2010-01-01 13:55:40 ----SD---- C:\Windows\Downloaded Program Files
2010-01-01 13:55:40 ----RSD---- C:\Windows\Media
2010-01-01 13:55:35 ----D---- C:\Windows\Tasks
2010-01-01 13:55:35 ----D---- C:\Windows\system32\Tasks
2010-01-01 13:55:35 ----D---- C:\Windows\system32\spool
2010-01-01 13:55:35 ----D---- C:\Windows\system32\drivers
2010-01-01 13:55:34 ----D---- C:\Windows\system32\CodeIntegrity
2010-01-01 13:55:34 ----D---- C:\Windows\rescache
2010-01-01 13:55:33 ----SHD---- C:\Windows\Installer
2010-01-01 13:55:26 ----D---- C:\Users\Administrator\AppData\Roaming\vlc
2010-01-01 13:55:26 ----D---- C:\Users\Administrator\AppData\Roaming\uTorrent
2010-01-01 13:55:19 ----RD---- C:\Program Files
2010-01-01 13:55:19 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-01-01 13:55:19 ----D---- C:\Program Files\uTorrent
2010-01-01 13:55:19 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-01 13:55:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-01 13:55:19 ----D---- C:\Program Files\Dealio Toolbar
2010-01-01 13:55:19 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-01-01 13:55:19 ----D---- C:\Program Files\BaldursGateTutu
2010-01-01 13:54:54 ----D---- C:\Windows\registration
2010-01-01 13:54:47 ----D---- C:\Program Files\Windows Media Player
2010-01-01 13:41:58 ----D---- C:\Windows\Temp
2010-01-01 13:39:40 ----SHD---- C:\System Volume Information
2010-01-01 12:54:25 ----SD---- C:\Users\Administrator\AppData\Roaming\Microsoft
2009-12-15 18:44:50 ----D---- C:\Windows\Debug
2009-12-14 22:15:39 ----HD---- C:\ProgramData
2009-12-05 16:29:58 ----D---- C:\Windows\Microsoft.NET
2009-12-05 16:29:53 ----RSD---- C:\Windows\assembly
2009-12-05 15:58:49 ----D---- C:\Windows\system32\catroot
2009-12-05 15:56:06 ----D---- C:\Windows\system32\zh-TW
2009-12-05 15:56:06 ----D---- C:\Windows\system32\zh-HK
2009-12-05 15:56:06 ----D---- C:\Windows\system32\uk-UA
2009-12-05 15:56:06 ----D---- C:\Windows\system32\tr-TR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\th-TH
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sv-SE
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sr-Latn-CS
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sl-SI
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sk-SK
2009-12-05 15:56:06 ----D---- C:\Windows\system32\pt-PT
2009-12-05 15:56:06 ----D---- C:\Windows\system32\pt-BR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\pl-PL
2009-12-05 15:56:06 ----D---- C:\Windows\system32\nl-NL
2009-12-05 15:56:06 ----D---- C:\Windows\system32\lv-LV
2009-12-05 15:56:06 ----D---- C:\Windows\system32\lt-LT
2009-12-05 15:56:06 ----D---- C:\Windows\system32\ko-KR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\it-IT
2009-12-05 15:56:06 ----D---- C:\Windows\system32\hu-HU
2009-12-05 15:56:06 ----D---- C:\Windows\system32\hr-HR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\he-IL
2009-12-05 15:56:06 ----D---- C:\Windows\system32\fr-FR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\fi-FI
2009-12-05 15:56:06 ----D---- C:\Windows\system32\et-EE
2009-12-05 15:56:06 ----D---- C:\Windows\system32\es-ES
2009-12-05 15:56:06 ----D---- C:\Windows\system32\el-GR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\bg-BG
2009-12-05 15:56:05 ----D---- C:\Windows\system32\zh-CN
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ru-RU
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ro-RO
2009-12-05 15:56:05 ----D---- C:\Windows\system32\nb-NO
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ja-JP
2009-12-05 15:56:05 ----D---- C:\Windows\system32\de-DE
2009-12-05 15:56:05 ----D---- C:\Windows\system32\da-DK
2009-12-05 15:56:05 ----D---- C:\Windows\system32\cs-CZ
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ar-SA

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-19 55024]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-08-01 1052704]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-06-10 9899296]
R3 rt61x86;RT61 Wireless Driver for Windows Vista; C:\Windows\system32\DRIVERS\netr61.sys [2008-11-26 333824]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-10 73216]
S3 a8c8h1wo;a8c8h1wo; C:\Windows\system32\drivers\a8c8h1wo.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 pgfilter;pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [2007-06-02 8192]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-22 1028432]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-06-10 211488]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Windows\System32\nvSCPAPISvr.exe [2009-06-10 232960]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater; C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]

-----------------EOF-----------------


Report •

#5
January 1, 2010 at 13:16:23
I don't see an antivirus program running, to continue you need to install one.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

We will need to disable the antivirus program to run some scans. To do this click the AVG icon in the systray (bottom right of your screen)> then click exit.

Go to add/remove programs and uninstall these p2p programs at least until we get the computer clean as they are know to harbor spyware:


utorrent
Dealio Toolbar
LimeWire

Please download Combofix with internet explorer instead of FireFox.

Remember..your Avg antivirus, Windows Defender, Spybot's TeaTimer and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#6
January 2, 2010 at 11:42:43
Here is the Log

ComboFix 09-12-31.A1 - Administrator 01/01/2010 17:55:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.928 [GMT -6:00]
Running from: c:\users\Administrator\Desktop\Combo-Fix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\temp\tn3

.
((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-01 22:51 . 2010-01-01 22:26 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-01 22:51 . 2010-01-01 22:26 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-01 22:51 . 2010-01-01 22:26 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-01 22:51 . 2010-01-01 22:26 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-01 22:51 . 2010-01-01 22:26 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-01 22:51 . 2010-01-01 22:26 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-01 22:27 . 2010-01-01 22:27 -------- d-----w- C:\$AVG
2010-01-01 22:27 . 2010-01-01 22:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-01 22:27 . 2010-01-01 22:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-01 22:26 . 2010-01-01 22:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-01 22:26 . 2010-01-01 22:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\program files\AVG
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\programdata\avg9
2010-01-01 20:23 . 2010-01-01 20:23 -------- d-----w- C:\rsit
2010-01-01 07:07 . 2010-01-01 22:29 -------- d-----w- c:\program files\DominateGame
2009-12-19 20:51 . 2009-12-19 20:51 -------- d-----w- c:\users\Administrator\AppData\Roaming\Search Settings
2009-12-15 21:31 . 2009-12-15 21:31 -------- d--h--w- c:\windows\PIF
2009-12-15 04:14 . 2009-12-15 04:14 -------- d-----w- c:\programdata\b17c51d

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 23:53 . 2009-07-15 10:32 32631 ----a-w- c:\programdata\nvModes.dat
2010-01-01 23:53 . 2009-07-15 03:42 -------- d-----w- c:\programdata\NVIDIA
2010-01-01 23:10 . 2008-10-17 03:40 -------- d-----w- c:\program files\Curse
2010-01-01 23:00 . 2009-07-22 05:16 117760 ----a-w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 22:19 . 2009-09-18 01:56 -------- d-----w- c:\users\Administrator\AppData\Roaming\uTorrent
2010-01-01 22:18 . 2008-08-17 20:35 -------- d-----w- c:\program files\LimeWire
2010-01-01 19:57 . 2009-07-15 05:31 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-01 19:55 . 2009-08-31 14:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
2010-01-01 19:55 . 2009-09-27 17:00 -------- d-----w- c:\program files\BaldursGateTutu
2010-01-01 19:55 . 2009-07-22 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 19:55 . 2008-08-22 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:55 . 2008-08-21 08:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 19:55 . 2008-08-19 21:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 04:07 . 2009-09-20 01:05 -------- d-----w- c:\program files\PeerGuardian2
2009-11-19 18:42 . 2009-11-19 18:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\U3
2009-11-14 07:34 . 2009-11-14 07:34 -------- d-----w- c:\programdata\BioWare
2009-11-13 23:49 . 2009-11-13 23:49 -------- d-----w- c:\programdata\Media Center Programs
2009-11-13 23:49 . 2008-08-23 17:54 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-13 23:44 . 2009-11-13 23:33 -------- d-----w- c:\program files\Dragon Age
2009-11-12 23:02 . 2009-09-10 18:09 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-11-11 04:23 . 2008-08-23 17:43 -------- d-----w- c:\program files\Mass Effect
2009-11-09 03:17 . 2008-08-25 18:35 -------- d-----w- c:\program files\DivX
2009-11-07 19:47 . 2009-10-31 06:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\Winamp
2009-11-07 03:48 . 2009-11-07 03:48 -------- d--h--r- c:\users\Administrator\AppData\Roaming\SecuROM
2009-11-06 03:49 . 2009-11-06 03:48 -------- d-----w- c:\program files\Dragon Age Origins Character Creator
2009-10-26 02:31 . 2009-07-15 02:14 53736 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-19 05:22 . 2009-09-23 05:22 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 05:22 . 2009-09-23 05:22 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13785632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-01 22:51 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-06-23 16:01 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d9,92,38,fd,0f,05,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/21/2009 11:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/1/2010 4:26 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/1/2010 4:27 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 10:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 10:34 PM 55024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/1/2010 4:26 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/1/2010 4:26 PM 285392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009 5:33 AM 232960]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/26/2008 12:51 PM 333824]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2009 7:03 PM 721904]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/13/2009 5:44 PM 25832]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/19/2008 10:34 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:22]

2010-01-01 c:\windows\Tasks\User_Feed_Synchronization-{83038BE6-5EBC-4B6A-850B-0FE370D349D0}.job
- c:\windows\system32\msfeedssync.exe [2009-08-11 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-Halo - c:\program files\Microsoft Games\Halo\UNINSTAL.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 18:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\ADMINI~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84819618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x879a0d24
\Driver\ACPI -> acpi.sys @ 0x8060bd68
\Driver\atapi -> ataport.SYS @ 0x8071aa2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aif"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aifc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aiff"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Winword.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4a"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4v"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp2"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp3"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mpg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wav"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv_e_1233158593_h_1d47b86e8c89d78c2aba9216bd2a5e7a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\SecuROM\License information*]
"datasecu"=hex:5d,49,c2,16,34,16,c7,2a,12,41,93,28,86,39,47,53,33,93,96,28,a1,
14,d6,37,53,48,45,c0,72,ee,3e,61,53,a5,fd,5f,32,34,f1,17,1d,a8,de,d9,48,ad,\
"rkeysecu"=hex:6c,e4,91,b9,69,d3,54,03,0c,a0,08,d7,09,81,20,a5
.
Completion time: 2010-01-01 18:11:05
ComboFix-quarantined-files.txt 2010-01-02 00:10

Pre-Run: 113,338,167,296 bytes free
Post-Run: 113,756,667,904 bytes free

- - End Of File - - A01D823ECA492509A82FF28DF172D68B


Unfortunately im still being redirected


Report •

#7
January 2, 2010 at 12:11:11
Do you know what this is?:

c:\programdata\b17c51d

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
Folder::
C:\Users\Administrator\AppData\Roaming\Search Settings

DIRLOOK::
c:\programdata\b17c51d

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Let me know if this suspends the redirecting and did you download Combofix with internet explorer or FireFox?


Report •

#8
January 2, 2010 at 12:20:55
About to Run Combofix But i figured i would reply before i did to answer your questions

No, i have no clue what c:\programdata\b17c51d is

and Yes, i made sure i downloaded Combofix with IE rather than Firefox.


Report •

#9
January 2, 2010 at 12:43:37
Thanks for the followup.

Report •

#10
January 2, 2010 at 13:03:28
It seems as though The redirecting has stopped For now. However theres been a few times i think i have gotten it only to have it reappear a few hours later. But yes it does seem to have stopped.

Thank you very much for your assistance, Its been really obnoxious and ill be glad to be rid of it.


Report •

#11
January 2, 2010 at 13:43:06
You are not completely clean, we need the results of the last Combofix log.

Report •

#12
January 2, 2010 at 14:03:51
oh, I thought it was strange, but when i came back to my PC after it had finished it just showed my desktop, and there was no log.

Report •

#13
January 2, 2010 at 14:18:17
Look for this file C:\Combofix.txt. You may have two, we need the the last one you ran, copy/paste onto the forum please.

Report •

#14
January 2, 2010 at 14:47:08
There is no file C:/Combofix.txt. In fact i couldnt find any file named Combofix on my computer except for the one i saved when i ran Combofix the first time.

Report •

#15
January 2, 2010 at 15:20:36
Ok, little clean-up to do.

Delete RSIT from your desktop.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#16
January 2, 2010 at 15:29:45
ok, so then does that mean i am clean?

Thanks very much for the help


Report •

#17
January 2, 2010 at 15:39:43
Yes, glad we could help.

Report •

#18
January 2, 2010 at 15:42:20
ugh i hate to be a pain, but i just started getting redirected again. Sorry.

Report •

#19
January 2, 2010 at 16:17:47
How far did you get on the clean up.

Report •

#20
January 2, 2010 at 16:26:28
Everything except adding spywareblaster

Report •

#21
January 2, 2010 at 18:48:01
Download a run RSIT and Combofix as suggested in the previous post and post their logs.

Report •

#22
January 2, 2010 at 18:58:49
Heres RSIT. Ill post Combofix (dl'ed from IE) next


Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-01-02 20:59:46
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 176 GB (37%) free of 477 GB
Total RAM: 2046 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:52 PM, on 1/2/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Curse\CurseClient.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [combofix] "C:\Combo-Fix\CF3218.cfxxe" /c "C:\Combo-Fix\C.bat"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\System32\nvSCPAPISvr.exe

--
End of file - 4067 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\User_Feed_Synchronization-{83038BE6-5EBC-4B6A-850B-0FE370D349D0}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-06-10 13785632]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"combofix"=C:\Combo-Fix\CF3218.cfxxe /c C:\Combo-Fix\C.bat []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"=oobefldr.dll,ShowWelcomeCenter []
"CurseClient"=C:\Program Files\Curse\CurseClient.exe [2009-06-08 1934336]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-01-01 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\Windows\System32\avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-01-02 16:00:52 ----D---- C:\Windows\Minidump
2010-01-01 18:11:18 ----SHD---- C:\$RECYCLE.BIN
2010-01-01 18:11:14 ----D---- C:\Windows\temp
2010-01-01 17:53:37 ----D---- C:\Windows\ERDNT
2010-01-01 16:27:07 ----D---- C:\$AVG
2010-01-01 16:27:03 ----A---- C:\Windows\system32\avgrsstx.dll
2010-01-01 16:26:18 ----D---- C:\Program Files\AVG
2010-01-01 16:26:17 ----D---- C:\ProgramData\avg9
2010-01-01 14:23:37 ----D---- C:\rsit
2010-01-01 13:29:34 ----D---- C:\Windows\pss
2010-01-01 01:07:37 ----D---- C:\Program Files\DominateGame
2009-12-19 14:51:14 ----D---- C:\Users\Administrator\AppData\Roaming\Search Settings
2009-12-15 15:31:41 ----HD---- C:\Windows\PIF
2009-12-14 22:16:18 ----D---- C:\Program Files\Mozilla Firefox
2009-12-14 22:14:51 ----D---- C:\ProgramData\b17c51d

======List of files/folders modified in the last 1 months======

2010-01-02 20:59:52 ----D---- C:\Windows\Prefetch
2010-01-02 18:33:13 ----D---- C:\Windows\System32
2010-01-02 18:33:13 ----D---- C:\Windows\inf
2010-01-02 18:33:13 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-01-02 18:28:59 ----D---- C:\ProgramData\NVIDIA
2010-01-02 18:28:57 ----D---- C:\World Of Warcraft
2010-01-02 18:28:57 ----D---- C:\Program Files\Curse
2010-01-02 18:14:58 ----SHD---- C:\System Volume Information
2010-01-02 17:37:39 ----D---- C:\Windows
2010-01-02 16:43:02 ----SD---- C:\ProgramData\Microsoft
2010-01-02 15:52:16 ----D---- C:\Windows\system32\drivers
2010-01-01 18:06:53 ----A---- C:\Windows\system.ini
2010-01-01 18:06:01 ----RD---- C:\Program Files
2010-01-01 18:06:01 ----D---- C:\Temp
2010-01-01 18:02:10 ----D---- C:\Windows\AppPatch
2010-01-01 18:02:10 ----D---- C:\Program Files\Common Files
2010-01-01 16:26:17 ----D---- C:\ProgramData
2010-01-01 16:26:15 ----SHD---- C:\Windows\Installer
2010-01-01 16:24:38 ----SD---- C:\Users\Administrator\AppData\Roaming\Microsoft
2010-01-01 16:19:18 ----D---- C:\Users\Administrator\AppData\Roaming\uTorrent
2010-01-01 16:18:55 ----D---- C:\Program Files\LimeWire
2010-01-01 16:18:40 ----D---- C:\Windows\winsxs
2010-01-01 14:10:14 ----D---- C:\Windows\system32\catroot2
2010-01-01 14:01:27 ----D---- C:\Windows\system32\Msdtc
2010-01-01 14:01:23 ----D---- C:\Windows\system32\wbem
2010-01-01 13:57:05 ----D---- C:\Windows\system32\config
2010-01-01 13:55:40 ----SD---- C:\Windows\Downloaded Program Files
2010-01-01 13:55:40 ----RSD---- C:\Windows\Media
2010-01-01 13:55:35 ----D---- C:\Windows\Tasks
2010-01-01 13:55:35 ----D---- C:\Windows\system32\Tasks
2010-01-01 13:55:35 ----D---- C:\Windows\system32\spool
2010-01-01 13:55:34 ----D---- C:\Windows\system32\CodeIntegrity
2010-01-01 13:55:34 ----D---- C:\Windows\rescache
2010-01-01 13:55:26 ----D---- C:\Users\Administrator\AppData\Roaming\vlc
2010-01-01 13:55:19 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-01-01 13:55:19 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-01 13:55:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-01 13:55:19 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-01-01 13:55:19 ----D---- C:\Program Files\BaldursGateTutu
2010-01-01 13:54:54 ----D---- C:\Windows\registration
2010-01-01 13:54:47 ----D---- C:\Program Files\Windows Media Player
2009-12-15 18:44:50 ----D---- C:\Windows\Debug
2009-12-05 16:29:58 ----D---- C:\Windows\Microsoft.NET
2009-12-05 16:29:53 ----RSD---- C:\Windows\assembly
2009-12-05 15:58:49 ----D---- C:\Windows\system32\catroot
2009-12-05 15:56:06 ----D---- C:\Windows\system32\zh-TW
2009-12-05 15:56:06 ----D---- C:\Windows\system32\zh-HK
2009-12-05 15:56:06 ----D---- C:\Windows\system32\uk-UA
2009-12-05 15:56:06 ----D---- C:\Windows\system32\tr-TR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\th-TH
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sv-SE
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sr-Latn-CS
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sl-SI
2009-12-05 15:56:06 ----D---- C:\Windows\system32\sk-SK
2009-12-05 15:56:06 ----D---- C:\Windows\system32\pt-PT
2009-12-05 15:56:06 ----D---- C:\Windows\system32\pt-BR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\pl-PL
2009-12-05 15:56:06 ----D---- C:\Windows\system32\nl-NL
2009-12-05 15:56:06 ----D---- C:\Windows\system32\lv-LV
2009-12-05 15:56:06 ----D---- C:\Windows\system32\lt-LT
2009-12-05 15:56:06 ----D---- C:\Windows\system32\ko-KR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\it-IT
2009-12-05 15:56:06 ----D---- C:\Windows\system32\hu-HU
2009-12-05 15:56:06 ----D---- C:\Windows\system32\hr-HR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\he-IL
2009-12-05 15:56:06 ----D---- C:\Windows\system32\fr-FR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\fi-FI
2009-12-05 15:56:06 ----D---- C:\Windows\system32\et-EE
2009-12-05 15:56:06 ----D---- C:\Windows\system32\es-ES
2009-12-05 15:56:06 ----D---- C:\Windows\system32\el-GR
2009-12-05 15:56:06 ----D---- C:\Windows\system32\bg-BG
2009-12-05 15:56:05 ----D---- C:\Windows\system32\zh-CN
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ru-RU
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ro-RO
2009-12-05 15:56:05 ----D---- C:\Windows\system32\nb-NO
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ja-JP
2009-12-05 15:56:05 ----D---- C:\Windows\system32\de-DE
2009-12-05 15:56:05 ----D---- C:\Windows\system32\da-DK
2009-12-05 15:56:05 ----D---- C:\Windows\system32\cs-CZ
2009-12-05 15:56:05 ----D---- C:\Windows\system32\ar-SA

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2010-01-01 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2010-01-01 28424]
R1 AvgTdiX;AVG Free Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2010-01-01 360584]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-19 55024]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-08-01 1052704]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-06-10 9899296]
R3 rt61x86;RT61 Wireless Driver for Windows Vista; C:\Windows\system32\DRIVERS\netr61.sys [2008-11-26 333824]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-10 73216]
S3 catchme;catchme; \??\C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 pgfilter;pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [2007-06-02 8192]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2009-09-18 721904]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-01-01 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-01-01 285392]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-06-10 211488]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Windows\System32\nvSCPAPISvr.exe [2009-06-10 232960]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater; C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-22 1028432]

-----------------EOF-----------------


Report •

#23
January 2, 2010 at 19:17:35
Here is Combofix, Im not sure if its important but i figured i would mention that on previous runs of Combofix it would restart my machine and then run immediately on startup, But this time it did not, it just ran.

ComboFix 10-01-02.01 - Administrator 01/02/2010 21:05:05.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1283 [GMT -6:00]
Running from: c:\users\Administrator\Desktop\Combo-Fix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-03 03:13 . 2010-01-03 03:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-03 03:13 . 2010-01-03 03:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-01 22:51 . 2010-01-01 22:26 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-01 22:51 . 2010-01-01 22:26 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-01 22:51 . 2010-01-01 22:26 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-01 22:51 . 2010-01-01 22:26 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-01 22:51 . 2010-01-01 22:26 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-01 22:51 . 2010-01-01 22:26 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-01 22:27 . 2010-01-01 22:27 -------- d-----w- C:\$AVG
2010-01-01 22:27 . 2010-01-01 22:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-01 22:27 . 2010-01-01 22:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-01 22:26 . 2010-01-01 22:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-01 22:26 . 2010-01-01 22:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-01 22:26 . 2010-01-02 14:43 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\program files\AVG
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\programdata\avg9
2010-01-01 20:23 . 2010-01-02 22:48 -------- d-----w- C:\rsit
2010-01-01 07:07 . 2010-01-03 00:47 -------- d-----w- c:\program files\DominateGame
2009-12-19 20:51 . 2009-12-19 20:51 -------- d-----w- c:\users\Administrator\AppData\Roaming\Search Settings
2009-12-15 21:31 . 2009-12-15 21:31 -------- d--h--w- c:\windows\PIF
2009-12-15 04:14 . 2009-12-15 04:14 -------- d-----w- c:\programdata\b17c51d

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 00:42 . 2010-01-02 23:44 0 ----a-w- c:\users\Administrator\AppData\Local\prvlcl.dat
2010-01-03 00:28 . 2009-07-15 03:42 -------- d-----w- c:\programdata\NVIDIA
2010-01-03 00:28 . 2009-07-15 10:32 32631 ----a-w- c:\programdata\nvModes.dat
2010-01-03 00:28 . 2008-10-17 03:40 -------- d-----w- c:\program files\Curse
2010-01-02 20:20 . 2009-07-22 05:16 117760 ----a-w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-02 03:01 . 2009-07-15 05:31 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-01 22:19 . 2009-09-18 01:56 -------- d-----w- c:\users\Administrator\AppData\Roaming\uTorrent
2010-01-01 22:18 . 2008-08-17 20:35 -------- d-----w- c:\program files\LimeWire
2010-01-01 19:55 . 2009-08-31 14:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
2010-01-01 19:55 . 2009-09-27 17:00 -------- d-----w- c:\program files\BaldursGateTutu
2010-01-01 19:55 . 2009-07-22 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 19:55 . 2008-08-22 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:55 . 2008-08-21 08:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 19:55 . 2008-08-19 21:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 04:07 . 2009-09-20 01:05 -------- d-----w- c:\program files\PeerGuardian2
2009-11-19 18:42 . 2009-11-19 18:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\U3
2009-11-14 07:34 . 2009-11-14 07:34 -------- d-----w- c:\programdata\BioWare
2009-11-13 23:49 . 2009-11-13 23:49 -------- d-----w- c:\programdata\Media Center Programs
2009-11-13 23:49 . 2008-08-23 17:54 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-13 23:44 . 2009-11-13 23:33 -------- d-----w- c:\program files\Dragon Age
2009-11-12 23:02 . 2009-09-10 18:09 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-11-11 04:23 . 2008-08-23 17:43 -------- d-----w- c:\program files\Mass Effect
2009-11-09 03:17 . 2008-08-25 18:35 -------- d-----w- c:\program files\DivX
2009-11-07 19:47 . 2009-10-31 06:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\Winamp
2009-11-07 03:48 . 2009-11-07 03:48 -------- d--h--r- c:\users\Administrator\AppData\Roaming\SecuROM
2009-11-06 03:49 . 2009-11-06 03:48 -------- d-----w- c:\program files\Dragon Age Origins Character Creator
2009-10-26 02:31 . 2009-07-15 02:14 53736 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-19 05:22 . 2009-09-23 05:22 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 05:22 . 2009-09-23 05:22 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13785632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-01 22:51 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-06-23 16:01 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d9,92,38,fd,0f,05,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/21/2009 11:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/1/2010 4:26 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/1/2010 4:27 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 10:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 10:34 PM 55024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/1/2010 4:26 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/1/2010 4:26 PM 285392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009 5:33 AM 232960]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/26/2008 12:51 PM 333824]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/13/2009 5:44 PM 25832]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/19/2008 10:34 PM 7408]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2009 7:03 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:22]

2010-01-03 c:\windows\Tasks\User_Feed_Synchronization-{83038BE6-5EBC-4B6A-850B-0FE370D349D0}.job
- c:\windows\system32\msfeedssync.exe [2009-08-11 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 21:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84819618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8799dd24
\Driver\ACPI -> acpi.sys @ 0x80608d68
\Driver\atapi -> ataport.SYS @ 0x80717a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aif"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aifc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aiff"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Winword.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4a"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4v"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp2"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp3"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mpg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wav"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv_e_1233158593_h_1d47b86e8c89d78c2aba9216bd2a5e7a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\SecuROM\License information*]
"datasecu"=hex:5d,49,c2,16,34,16,c7,2a,12,41,93,28,86,39,47,53,33,93,96,28,a1,
14,d6,37,53,48,45,c0,72,ee,3e,61,53,a5,fd,5f,32,34,f1,17,1d,a8,de,d9,48,ad,\
"rkeysecu"=hex:6c,e4,91,b9,69,d3,54,03,0c,a0,08,d7,09,81,20,a5
.
Completion time: 2010-01-02 21:18:39
ComboFix-quarantined-files.txt 2010-01-03 03:18

Pre-Run: 184,470,183,936 bytes free
Post-Run: 184,428,892,160 bytes free

- - End Of File - - 767DA1F6DE910AAB8D461A45767888E2


Report •

#24
January 3, 2010 at 09:10:20
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SRPeek::
c:\programdata\b17c51d
c:\users\Administrator\AppData\Roaming\Search Settings

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#25
January 3, 2010 at 10:17:43
ComboFix 10-01-02.01 - Administrator 01/03/2010 12:07:17.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.866 [GMT -6:00]
Running from: c:\users\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-02 23:44 . 2010-01-03 09:42 0 ----a-w- c:\users\Administrator\AppData\Local\prvlcl.dat
2010-01-01 22:51 . 2010-01-01 22:26 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-01 22:51 . 2010-01-01 22:26 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-01 22:51 . 2010-01-01 22:26 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-01 22:51 . 2010-01-01 22:26 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-01 22:51 . 2010-01-01 22:26 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-01 22:51 . 2010-01-01 22:26 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-01 22:27 . 2010-01-01 22:27 -------- d-----w- C:\$AVG
2010-01-01 22:27 . 2010-01-01 22:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-01 22:27 . 2010-01-01 22:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-01 22:26 . 2010-01-01 22:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-01 22:26 . 2010-01-01 22:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-01 22:26 . 2010-01-03 15:55 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\program files\AVG
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\programdata\avg9
2010-01-01 20:23 . 2010-01-02 22:48 -------- d-----w- C:\rsit
2010-01-01 07:07 . 2010-01-03 05:50 -------- d-----w- c:\program files\DominateGame
2009-12-19 20:51 . 2009-12-19 20:51 -------- d-----w- c:\users\Administrator\AppData\Roaming\Search Settings
2009-12-15 21:31 . 2009-12-15 21:31 -------- d--h--w- c:\windows\PIF
2009-12-15 04:14 . 2009-12-15 04:14 -------- d-----w- c:\programdata\b17c51d

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 00:28 . 2009-07-15 03:42 -------- d-----w- c:\programdata\NVIDIA
2010-01-03 00:28 . 2009-07-15 10:32 32631 ----a-w- c:\programdata\nvModes.dat
2010-01-03 00:28 . 2008-10-17 03:40 -------- d-----w- c:\program files\Curse
2010-01-02 20:20 . 2009-07-22 05:16 117760 ----a-w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-02 03:01 . 2009-07-15 05:31 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-01 22:19 . 2009-09-18 01:56 -------- d-----w- c:\users\Administrator\AppData\Roaming\uTorrent
2010-01-01 22:18 . 2008-08-17 20:35 -------- d-----w- c:\program files\LimeWire
2010-01-01 19:55 . 2009-08-31 14:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
2010-01-01 19:55 . 2009-09-27 17:00 -------- d-----w- c:\program files\BaldursGateTutu
2010-01-01 19:55 . 2009-07-22 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 19:55 . 2008-08-22 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:55 . 2008-08-21 08:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 19:55 . 2008-08-19 21:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 04:07 . 2009-09-20 01:05 -------- d-----w- c:\program files\PeerGuardian2
2009-11-19 18:42 . 2009-11-19 18:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\U3
2009-11-14 07:34 . 2009-11-14 07:34 -------- d-----w- c:\programdata\BioWare
2009-11-13 23:49 . 2009-11-13 23:49 -------- d-----w- c:\programdata\Media Center Programs
2009-11-13 23:49 . 2008-08-23 17:54 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-13 23:44 . 2009-11-13 23:33 -------- d-----w- c:\program files\Dragon Age
2009-11-12 23:02 . 2009-09-10 18:09 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-11-11 04:23 . 2008-08-23 17:43 -------- d-----w- c:\program files\Mass Effect
2009-11-09 03:17 . 2008-08-25 18:35 -------- d-----w- c:\program files\DivX
2009-11-07 19:47 . 2009-10-31 06:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\Winamp
2009-11-07 03:48 . 2009-11-07 03:48 -------- d--h--r- c:\users\Administrator\AppData\Roaming\SecuROM
2009-11-06 03:49 . 2009-11-06 03:48 -------- d-----w- c:\program files\Dragon Age Origins Character Creator
2009-10-26 02:31 . 2009-07-15 02:14 53736 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-19 05:22 . 2009-09-23 05:22 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 05:22 . 2009-09-23 05:22 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
((((((((((((((((((((((((((((( SnapShot@2010-01-03_03.14.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-03 12:02 . 2010-01-03 15:38 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010010320100104\index.dat
+ 2006-11-02 10:33 . 2010-01-03 18:04 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-01-03 00:33 595446 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-01-03 18:04 101144 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-01-03 00:33 101144 c:\windows\System32\perfc009.dat
+ 2009-07-15 02:56 . 2010-01-03 17:52 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-15 02:56 . 2010-01-03 02:28 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13785632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-01 22:51 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-06-23 16:01 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d9,92,38,fd,0f,05,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/21/2009 11:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/1/2010 4:26 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/1/2010 4:27 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 10:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 10:34 PM 55024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/1/2010 4:26 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/1/2010 4:26 PM 285392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009 5:33 AM 232960]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/26/2008 12:51 PM 333824]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/13/2009 5:44 PM 25832]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/19/2008 10:34 PM 7408]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2009 7:03 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:22]

2010-01-03 c:\windows\Tasks\User_Feed_Synchronization-{83038BE6-5EBC-4B6A-850B-0FE370D349D0}.job
- c:\windows\system32\msfeedssync.exe [2009-08-11 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 12:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84819618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8799dd24
\Driver\ACPI -> acpi.sys @ 0x80608d68
\Driver\atapi -> ataport.SYS @ 0x80717a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aif"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aifc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aiff"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Winword.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4a"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4v"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp2"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp3"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mpg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wav"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv_e_1233158593_h_1d47b86e8c89d78c2aba9216bd2a5e7a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\SecuROM\License information*]
"datasecu"=hex:5d,49,c2,16,34,16,c7,2a,12,41,93,28,86,39,47,53,33,93,96,28,a1,
14,d6,37,53,48,45,c0,72,ee,3e,61,53,a5,fd,5f,32,34,f1,17,1d,a8,de,d9,48,ad,\
"rkeysecu"=hex:6c,e4,91,b9,69,d3,54,03,0c,a0,08,d7,09,81,20,a5
.
Completion time: 2010-01-03 12:20:12
ComboFix-quarantined-files.txt 2010-01-03 18:20
ComboFix2.txt 2010-01-03 03:18

Pre-Run: 183,354,843,136 bytes free
Post-Run: 183,306,928,128 bytes free

- - End Of File - - F903FF0D06E3747D255D4CAA4315ACFE


Report •

#26
January 3, 2010 at 10:49:01
Be sure that these are turned off or disabled:


Avg antivirus
Windows Defender
Spybot's TeaTimer
Ad-Aware


Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\Users\Administrator\AppData\Roaming\Search Settings
C:\ProgramData\b17c51d
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Are you still being redirected after running this script.


Report •

#27
January 3, 2010 at 12:05:12
Unfortunately im still being redirected, Here is the Log.


ComboFix 10-01-02.01 - Administrator 01/03/2010 13:46:18.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1056 [GMT -6:00]
Running from: c:\users\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\b17c51d
c:\users\Administrator\AppData\Roaming\Search Settings
c:\users\Administrator\AppData\Roaming\Search Settings\kb128\temp\ws-14597.log

.
((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-03 19:52 . 2010-01-03 19:53 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-03 19:52 . 2010-01-03 19:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-03 19:52 . 2010-01-03 19:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-02 23:44 . 2010-01-03 19:42 0 ----a-w- c:\users\Administrator\AppData\Local\prvlcl.dat
2010-01-01 22:51 . 2010-01-01 22:26 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-01 22:51 . 2010-01-01 22:26 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-01 22:51 . 2010-01-01 22:26 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-01 22:51 . 2010-01-01 22:26 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-01 22:51 . 2010-01-01 22:26 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-01 22:51 . 2010-01-01 22:26 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-01 22:27 . 2010-01-01 22:27 -------- d-----w- C:\$AVG
2010-01-01 22:27 . 2010-01-01 22:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-01 22:27 . 2010-01-01 22:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-01 22:26 . 2010-01-01 22:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-01 22:26 . 2010-01-01 22:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-01 22:26 . 2010-01-03 15:55 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\program files\AVG
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\programdata\avg9
2010-01-01 20:23 . 2010-01-02 22:48 -------- d-----w- C:\rsit
2010-01-01 07:07 . 2010-01-03 18:36 -------- d-----w- c:\program files\DominateGame
2009-12-15 21:31 . 2009-12-15 21:31 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 00:28 . 2009-07-15 03:42 -------- d-----w- c:\programdata\NVIDIA
2010-01-03 00:28 . 2009-07-15 10:32 32631 ----a-w- c:\programdata\nvModes.dat
2010-01-03 00:28 . 2008-10-17 03:40 -------- d-----w- c:\program files\Curse
2010-01-02 20:20 . 2009-07-22 05:16 117760 ----a-w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-02 03:01 . 2009-07-15 05:31 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-01 22:19 . 2009-09-18 01:56 -------- d-----w- c:\users\Administrator\AppData\Roaming\uTorrent
2010-01-01 22:18 . 2008-08-17 20:35 -------- d-----w- c:\program files\LimeWire
2010-01-01 19:55 . 2009-08-31 14:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
2010-01-01 19:55 . 2009-09-27 17:00 -------- d-----w- c:\program files\BaldursGateTutu
2010-01-01 19:55 . 2009-07-22 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 19:55 . 2008-08-22 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:55 . 2008-08-21 08:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 19:55 . 2008-08-19 21:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 04:07 . 2009-09-20 01:05 -------- d-----w- c:\program files\PeerGuardian2
2009-11-19 18:42 . 2009-11-19 18:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\U3
2009-11-14 07:34 . 2009-11-14 07:34 -------- d-----w- c:\programdata\BioWare
2009-11-13 23:49 . 2009-11-13 23:49 -------- d-----w- c:\programdata\Media Center Programs
2009-11-13 23:49 . 2008-08-23 17:54 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-13 23:44 . 2009-11-13 23:33 -------- d-----w- c:\program files\Dragon Age
2009-11-12 23:02 . 2009-09-10 18:09 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-11-11 04:23 . 2008-08-23 17:43 -------- d-----w- c:\program files\Mass Effect
2009-11-09 03:17 . 2008-08-25 18:35 -------- d-----w- c:\program files\DivX
2009-11-07 19:47 . 2009-10-31 06:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\Winamp
2009-11-07 03:48 . 2009-11-07 03:48 -------- d--h--r- c:\users\Administrator\AppData\Roaming\SecuROM
2009-11-06 03:49 . 2009-11-06 03:48 -------- d-----w- c:\program files\Dragon Age Origins Character Creator
2009-10-26 02:31 . 2009-07-15 02:14 53736 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-19 05:22 . 2009-09-23 05:22 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 05:22 . 2009-09-23 05:22 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-03_03.14.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-03 12:02 . 2010-01-03 15:38 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010010320100104\index.dat
+ 2006-11-02 10:33 . 2010-01-03 18:04 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-01-03 00:33 595446 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-01-03 18:04 101144 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-01-03 00:33 101144 c:\windows\System32\perfc009.dat
+ 2009-07-15 02:56 . 2010-01-03 19:38 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-15 02:56 . 2010-01-03 02:28 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13785632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-01 22:51 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-06-23 16:01 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d9,92,38,fd,0f,05,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/21/2009 11:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/1/2010 4:26 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/1/2010 4:27 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 10:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 10:34 PM 55024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/1/2010 4:26 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/1/2010 4:26 PM 285392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009 5:33 AM 232960]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/26/2008 12:51 PM 333824]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/13/2009 5:44 PM 25832]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/19/2008 10:34 PM 7408]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2009 7:03 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:22]

2010-01-03 c:\windows\Tasks\User_Feed_Synchronization-{83038BE6-5EBC-4B6A-850B-0FE370D349D0}.job
- c:\windows\system32\msfeedssync.exe [2009-08-11 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 13:53
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84819618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8799dd24
\Driver\ACPI -> acpi.sys @ 0x80608d68
\Driver\atapi -> ataport.SYS @ 0x80717a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aif"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aifc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aiff"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Winword.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4a"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4v"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp2"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp3"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mpg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wav"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv_e_1233158593_h_1d47b86e8c89d78c2aba9216bd2a5e7a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\SecuROM\License information*]
"datasecu"=hex:5d,49,c2,16,34,16,c7,2a,12,41,93,28,86,39,47,53,33,93,96,28,a1,
14,d6,37,53,48,45,c0,72,ee,3e,61,53,a5,fd,5f,32,34,f1,17,1d,a8,de,d9,48,ad,\
"rkeysecu"=hex:6c,e4,91,b9,69,d3,54,03,0c,a0,08,d7,09,81,20,a5
.
Completion time: 2010-01-03 13:57:10
ComboFix-quarantined-files.txt 2010-01-03 19:57
ComboFix2.txt 2010-01-03 18:20
ComboFix3.txt 2010-01-03 03:18

Pre-Run: 183,424,565,248 bytes free
Post-Run: 183,380,008,960 bytes free

- - End Of File - - 494C959B6C79569549DFEA23B8D66FB6


Report •

#28
January 3, 2010 at 13:00:28
Remember to shut down your protection and let me know if you are still being redirected.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\users\Administrator\AppData\Local\prvlcl.dat

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#29
January 3, 2010 at 13:59:57
Unfortunately im still being redirected. here is the Log

ComboFix 10-01-02.01 - Administrator 01/03/2010 15:39:46.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1069 [GMT -6:00]
Running from: c:\users\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Administrator\AppData\Local\prvlcl.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Administrator\AppData\Local\prvlcl.dat

.
((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-03 21:46 . 2010-01-03 21:49 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-03 21:46 . 2010-01-03 21:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-03 21:46 . 2010-01-03 21:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-03 21:14 . 2010-01-03 21:14 -------- d-----w- c:\users\Administrator\AppData\Local\Apple
2010-01-03 21:14 . 2010-01-03 21:14 -------- d-----w- c:\users\Administrator\AppData\Local\Apple Computer
2010-01-01 22:27 . 2010-01-01 22:27 -------- d-----w- C:\$AVG
2010-01-01 22:27 . 2010-01-01 22:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-01 22:27 . 2010-01-01 22:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-01 22:26 . 2010-01-01 22:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-01 22:26 . 2010-01-01 22:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-01 22:26 . 2010-01-03 15:55 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\program files\AVG
2010-01-01 22:26 . 2010-01-01 22:26 -------- d-----w- c:\programdata\avg9
2010-01-01 20:23 . 2010-01-02 22:48 -------- d-----w- C:\rsit
2010-01-01 07:07 . 2010-01-03 18:36 -------- d-----w- c:\program files\DominateGame
2009-12-15 21:31 . 2009-12-15 21:31 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 21:48 . 2008-10-17 03:40 -------- d-----w- c:\program files\Curse
2010-01-03 21:48 . 2009-07-15 10:32 32631 ----a-w- c:\programdata\nvModes.dat
2010-01-03 21:48 . 2009-07-15 03:42 -------- d-----w- c:\programdata\NVIDIA
2010-01-02 03:01 . 2009-07-15 05:31 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-01 22:19 . 2009-09-18 01:56 -------- d-----w- c:\users\Administrator\AppData\Roaming\uTorrent
2010-01-01 22:18 . 2008-08-17 20:35 -------- d-----w- c:\program files\LimeWire
2010-01-01 19:55 . 2009-08-31 14:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
2010-01-01 19:55 . 2009-09-27 17:00 -------- d-----w- c:\program files\BaldursGateTutu
2010-01-01 19:55 . 2009-07-22 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 19:55 . 2008-08-22 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:55 . 2008-08-21 08:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 19:55 . 2008-08-19 21:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 04:07 . 2009-09-20 01:05 -------- d-----w- c:\program files\PeerGuardian2
2009-11-19 18:42 . 2009-11-19 18:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\U3
2009-11-14 07:34 . 2009-11-14 07:34 -------- d-----w- c:\programdata\BioWare
2009-11-13 23:49 . 2009-11-13 23:49 -------- d-----w- c:\programdata\Media Center Programs
2009-11-13 23:49 . 2008-08-23 17:54 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-13 23:44 . 2009-11-13 23:33 -------- d-----w- c:\program files\Dragon Age
2009-11-12 23:02 . 2009-09-10 18:09 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-11-11 04:23 . 2008-08-23 17:43 -------- d-----w- c:\program files\Mass Effect
2009-11-09 03:17 . 2008-08-25 18:35 -------- d-----w- c:\program files\DivX
2009-11-07 19:47 . 2009-10-31 06:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\Winamp
2009-11-07 03:48 . 2009-11-07 03:48 -------- d--h--r- c:\users\Administrator\AppData\Roaming\SecuROM
2009-11-06 03:49 . 2009-11-06 03:48 -------- d-----w- c:\program files\Dragon Age Origins Character Creator
2009-10-26 02:31 . 2009-07-15 02:14 53736 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13785632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-01 22:51 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-06-23 16:01 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d9,92,38,fd,0f,05,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/21/2009 11:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/1/2010 4:26 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/1/2010 4:27 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 10:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 10:34 PM 55024]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009 5:33 AM 232960]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/26/2008 12:51 PM 333824]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/13/2009 5:44 PM 25832]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/19/2008 10:34 PM 7408]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/1/2010 4:26 PM 906520]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/1/2010 4:26 PM 285392]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2009 7:03 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:22]

2010-01-03 c:\windows\Tasks\User_Feed_Synchronization-{83038BE6-5EBC-4B6A-850B-0FE370D349D0}.job
- c:\windows\system32\msfeedssync.exe [2009-08-11 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 15:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8481B618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x879acd24
\Driver\ACPI -> acpi.sys @ 0x80613d68
\Driver\atapi -> ataport.SYS @ 0x80722a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,dd,76,98,05,d5,c3,48,b4,54,a0,\

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aif"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aifc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aiff"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Winword.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4a"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4v"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp2"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp3"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mpg"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wav"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv_e_1233158593_h_1d47b86e8c89d78c2aba9216bd2a5e7a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3460322775-3498566274-224670622-500\Software\SecuROM\License information*]
"datasecu"=hex:5d,49,c2,16,34,16,c7,2a,12,41,93,28,86,39,47,53,33,93,96,28,a1,
14,d6,37,53,48,45,c0,72,ee,3e,61,53,a5,fd,5f,32,34,f1,17,1d,a8,de,d9,48,ad,\
"rkeysecu"=hex:6c,e4,91,b9,69,d3,54,03,0c,a0,08,d7,09,81,20,a5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-01-03 15:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 21:58
ComboFix2.txt 2010-01-03 19:57
ComboFix3.txt 2010-01-03 18:20
ComboFix4.txt 2010-01-03 03:18

Pre-Run: 183,407,595,520 bytes free
Post-Run: 184,101,244,928 bytes free

- - End Of File - - 3D405D06518196EFB60FBEB7372A2011


Report •

#30
January 3, 2010 at 14:37:26
Download Dr.Web CureIt to the desktop from the following link.

Drweb-Cureit

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Run Dr.Web CureIt as follows:


1. Doubleclick the drweb-cureit.exe file and 2. Allow to run the express scan
3. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
4. Once the short scan has finished, mark the drives that you want to scan.
5. Select all drives. A red dot shows which drives have been chosen.
6. Click the green arrow at the right, and the scan will start.
7. Click 'Yes to all' if it asks if you want to cure/move the file.
8. When the scan has finished, look if you can click next icon next to the files found:
9. If so, click it and then click the next icon right below and select Move incurable.
10. This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
11. After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the report to your desktop. The report will be called DrWeb.csv
12. Close Dr.Web Cureit.
13. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
14. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.


Report •

#31
January 3, 2010 at 15:18:28
When i tried to Extract Drweb-curit, it gives me an error message saying that it is either in unknown format or damaged.

Report •

#32
January 3, 2010 at 16:23:33
I have no idea on that one.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#33
January 3, 2010 at 19:42:50
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=3da75691e29f81489326ad80061af539
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-04 03:21:55
# local_time=2010-01-03 09:21:55 (-0600, Central Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 42216579 42216579 0 0
# compatibility_mode=1024 16777215 100 0 99072 99072 0 0
# compatibility_mode=5121 16777214 0 3 42342754 42342754 0 0
# compatibility_mode=5892 16776574 100 100 14008419 99174178 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=456971
# found=8
# cleaned=0
# scan_time=8664
C:\Windows.old\Users\Administrator\AppData\Local\Temp\UAC68b2.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
C:\Windows.old\Users\Administrator\AppData\Local\Temp\uhcelttrgg.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
C:\Windows.old\Users\Administrator\AppData\Local\Temp\plugtmp-236\plugin-pfqa.php PDF/Exploit.Gen trojan 00000000000000000000000000000000 I
C:\Windows.old\Windows\System32\airtvdmy.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Windows.old\Windows\System32\eetimpxo.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Windows.old\Windows\System32\rtwvwyay.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Windows.old\Windows\System32\rtwvwyay.ini2 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Windows.old\Windows\System32\vkmmrvrn.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

Report •

#34
January 5, 2010 at 18:07:26
Anything New i can do?

Report •

#35
January 5, 2010 at 18:27:38

Didi you download Combofix with internet explorer?

C:\Windows.old is a backup of a previous installation of windows. You could just delete that folder. It is infected with an older version of the same baddie you have now.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Windows.old\Users\Administrator\AppData\Local\Temp\UAC68b2.tmp
C:\Windows.old\Users\Administrator\AppData\Local\Temp\uhcelttrgg.tmp
C:\Windows.old\Users\Administrator\AppData\Local\Temp\plugtmp-236\plugin-pfqa.php
C:\Windows.old\Windows\System32\airtvdmy.ini
C:\Windows.old\Windows\System32\eetimpxo.ini
C:\Windows.old\Windows\System32\rtwvwyay.ini
C:\Windows.old\Windows\System32\rtwvwyay.ini2
C:\Windows.old\Windows\System32\vkmmrvrn.ini

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Download TDSSKiller to your Desktop from the following link.

TDSSKiller


1. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. It will extract to an unzipped folder, drag TDSSKiller.exe out of that folder onto the desktop.
2. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


3. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
4. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#36
January 5, 2010 at 18:49:31
If i just delete windows.old is it necessary for me to run Combofix? Also, Yes i remembered to Download it via IE

Report •

#37
January 5, 2010 at 19:01:52
No, it is not necessary.

Report •

#38
January 5, 2010 at 19:29:41
Im not entirely sure why i keep coming up with absent logs, but after running TDSSkiller, once again, there was no log created, at least one didnt pop up, and i couldnt find a text file named tdsskiller. It did however report that there were a couple things that it cured and then told me to reboot.

Report •

#39
January 5, 2010 at 19:33:51
I can however say that whatever happened, the redirecting has seemed to subside, at least for now.

Report •

#40
January 5, 2010 at 19:39:35
I can also say that i remember there were 2 objects in memory that it cured and 1 object on the disk that was to be cured on reboot, and they all had something to do with "atapi"

Im sorry if this isnt much help. Im trying to be as helpful as i can without being able to find the log.


Report •

#41
January 5, 2010 at 19:41:15
Normally it would be located at c:\TDSSKiller.txt

Do the clean-up again as needed.

Delete RSIT and TDSSKiller.exe from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#42
January 5, 2010 at 19:55:08
Yeah, that was the first place i looked, there was not a file by the name of TDSSkiller of any type at that location.

But i guess if im clean i cant be complaining. and if not, im sure ill be running back here for you're guys' expert advice.

I cant thank you enough for your assistance in helping me solve this. Its been bugging me for too long and i am so glad to be rid of it. Thank you so very much.


Report •

#43
January 5, 2010 at 22:19:58
Okay, I'm having the same redirect problem. After review this exchange, I'm thinking "Holy Crap! Isn't there an easier solution to what seems like a recurring problem??!!"

Report •


Ask Question