Google search links redirect to other website

March 12, 2010 at 16:17:30
Specs: Windows Vista Home Premium SP2
When conducting searches in Google, links will redirect me to advertising websites.

See More: Google search links redirect to other website

Report •


#1
March 12, 2010 at 16:40:12
Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

* Save both reports to your desktop
* Please include the following logs in your next reply: DDS.txt and Attach.txt

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
March 12, 2010 at 21:24:56
It is a google hijacker virus that redirects google and other search engine search results to unwanted websites. to get rid of this virus, see the Google search redirect virus removal guide within this link
http://darfuns.com/remove-google-se...

Report •

#3
March 13, 2010 at 10:26:07
After disabling Avast, downloading dds.scr and opening it, it failed to run. No prompts appeared, and the only thing that showed was a bunch of gibberish in a text file with the phrase "This program cannot be run in DOS mode." at the very top.

I downloaded and ran MalwareBytes successfully. The following is the report:

Malwarebytes' Anti-Malware 1.44
Database version: 3863
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

3/13/2010 1:16:21 PM
mbam-log-2010-03-13 (13-16-21).txt

Scan type: Quick Scan
Objects scanned: 137393
Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fd501041-8ebe-11ce-8183-00aa00577da1} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8b498502-1218-11cf-adc4-00a0d100041b} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d877b48a-8972-4653-91e2-445cd4e12fc2} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\cpwiuy.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\t5rdv.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\ecesq.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.


Report •

Related Solutions

#4
March 13, 2010 at 13:17:58
DDS must be downloaded to the desktop, any other place would cause that type of problem.

If you did download it to the desktop and recieved that error try Hijack This from the following link.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#5
March 13, 2010 at 13:41:39
Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:32 PM, on 3/13/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Trung\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Users\Trung\AppData\Local\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 1\firefox.exe
C:\Users\Trung\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Trung\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Trung\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Trung\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FAH@C:+Users+Trung+Desktop+Folding+FAH504-Console.exe - Unknown owner - C:\Users\Trung\Desktop\Folding\FAH504-Console.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 7841 bytes


Report •

#6
March 16, 2010 at 17:30:54
Go to start> control panel> click the Java icon> update tab> update now and allow Java to update. If you are prompted for any add-ons uncheck the box and continue. The newest Java is version 6 update 18.

Please download Combofix with internet explorer instead of another browser if possible. Remember..your Avast antivirus must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#7
March 16, 2010 at 20:09:42
ComboFix 10-03-16.03 - Trung 03/16/2010 22:20:29.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1145 [GMT -4:00]
Running from: c:\users\Trung\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1290 [VPS 081121-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1290 [VPS 081121-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1002
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1003
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1004
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1005
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1006
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1007
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1008
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1009
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1010
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1011
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1012
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1013
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1014
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1015
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1016
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1017
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1018
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1019
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1020
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1021
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1022
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1023
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1024
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1025
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1026
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1027
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1028
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1029
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1030
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1031
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1032
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1033
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1034
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1035
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1036
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1037
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1038
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1039
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1040
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1041
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1042
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1043
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1044
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1045
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1046
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1047
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1048
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1049
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1050
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1051
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1052
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1053
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1054
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1055
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1056
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-1057
c:\$recycle.bin\S-1-5-21-1057712510-994901703-3176631456-500
C:\DFR70F9.tmp
c:\users\Guest\AppData\Desktop_.ini
c:\users\Guest\AppData\Local\ATI\ACE\Desktop_.ini
c:\users\Guest\AppData\Local\ATI\Desktop_.ini
c:\users\Guest\AppData\Local\Desktop_.ini
c:\users\Guest\AppData\Local\Google\Desktop_.ini
c:\users\Guest\AppData\Local\Google\Google Talk\avatars\Desktop_.ini
c:\users\Guest\AppData\Local\Google\Google Talk\chatlogs\Desktop_.ini
c:\users\Guest\AppData\Local\Google\Google Talk\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft Help\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Feeds Cache\9K82JVVD\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Feeds Cache\AQPI3WYA\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Feeds Cache\BJ2DHHNE\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Feeds Cache\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Feeds Cache\T8QTJJX2\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Feeds\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Media Player\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Media Player\Sync Playlists\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00A22889\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Portable Devices\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Mail\Backup\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Mail\Backup\new\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Mail\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Media\11.0\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Media\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Sidebar\Desktop_.ini
c:\users\Guest\AppData\Local\Microsoft\Windows Sidebar\Gadgets\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\__SkypeIEToolbar_Cache\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\session\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\static\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\static\famfamfam\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\_avast4_\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\Low\Desktop_.ini
c:\users\Guest\AppData\Local\Temp\WPDNSE\Desktop_.ini
c:\users\Guest\AppData\LocalLow\Apple Computer\Desktop_.ini
c:\users\Guest\AppData\LocalLow\Apple Computer\QuickTime\Desktop_.ini
c:\users\Guest\AppData\LocalLow\Desktop_.ini
c:\users\Guest\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\Desktop_.ini
c:\users\Guest\AppData\LocalLow\Microsoft\CryptnetUrlCache\Desktop_.ini
c:\users\Guest\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\Desktop_.ini
c:\users\Guest\AppData\LocalLow\Microsoft\Desktop_.ini
c:\users\Guest\AppData\Roaming\ATI\ACE\Desktop_.ini
c:\users\Guest\AppData\Roaming\ATI\Desktop_.ini
c:\users\Guest\AppData\Roaming\Desktop_.ini
c:\users\Guest\AppData\Roaming\Identities\{5547BB8F-CC5E-4736-965C-28C82ED82A7B}\Desktop_.ini
c:\users\Guest\AppData\Roaming\Identities\Desktop_.ini
c:\users\Guest\AppData\Roaming\Macromedia\Desktop_.ini
c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\Desktop_.ini
c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GVP00001\Desktop_.ini
c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GVP00001\www.orkut.com\Desktop_.ini
c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\Desktop_.ini
c:\users\Guest\AppData\Roaming\Media Center Programs\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\Protect\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\Protect\S-1-5-21-1057712510-994901703-3176631456-501\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\SystemCertificates\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\Desktop_.ini
c:\users\Guest\AppData\Roaming\Microsoft\SystemCertificates\My\Desktop_.ini
c:\users\Guest\Contacts\Desktop_.ini
c:\users\Guest\Desktop\Desktop_.ini
c:\users\Guest\Desktop_.ini
c:\users\Guest\Documents\Desktop_.ini
c:\users\Guest\Downloads\Desktop_.ini
c:\users\Guest\Favorites\Desktop_.ini
c:\users\Guest\Favorites\Links\Desktop_.ini
c:\users\Guest\Favorites\Microsoft Websites\Desktop_.ini
c:\users\Guest\Favorites\MSN Websites\Desktop_.ini
c:\users\Guest\Favorites\Toshiba\Desktop_.ini
c:\users\Guest\Favorites\Windows Live\Desktop_.ini
c:\users\Guest\Links\Desktop_.ini
c:\users\Guest\Music\Desktop_.ini
c:\users\Guest\Pictures\Desktop_.ini
c:\users\Guest\Saved Games\Desktop_.ini
c:\users\Guest\Searches\Desktop_.ini
c:\users\Guest\Videos\Desktop_.ini
c:\users\Trung\AppData\Roaming\inst.exe
c:\windows\system32\license.rtf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 02:37 . 2010-03-17 02:42 -------- d-----w- c:\users\Trung\AppData\Local\temp
2010-03-17 02:37 . 2010-03-17 02:37 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-03-17 02:37 . 2010-03-17 02:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-17 01:57 . 2010-03-17 01:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-13 18:06 . 2010-03-13 18:06 -------- d-----w- c:\users\Trung\AppData\Roaming\Malwarebytes
2010-03-13 18:06 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 18:05 . 2010-03-13 18:05 -------- d-----w- c:\programdata\Malwarebytes
2010-03-13 18:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 18:05 . 2010-03-13 18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 23:19 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 23:19 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-12 23:19 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 22:21 . 2010-03-12 22:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-12 22:16 . 2010-03-13 00:37 -------- d-----w- c:\programdata\Lavasoft
2010-03-12 18:37 . 2010-03-12 21:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-12 07:27 . 2010-03-12 07:27 -------- d-----w- c:\program files\iPod
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\Trung\AppData\Roaming\AVG8
2010-03-11 04:20 . 2010-03-11 19:28 -------- d-----w- c:\program files\McAfee
2010-03-01 02:51 . 2010-03-01 02:54 -------- d-----w- c:\users\Trung\AppData\Roaming\EndNote
2010-03-01 02:49 . 2010-03-01 02:49 -------- d-----w- c:\program files\Common Files\ResearchSoft
2010-03-01 02:48 . 2010-03-01 02:49 -------- d-----w- c:\program files\EndNote X3
2010-03-01 02:47 . 2010-03-01 02:49 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2010-03-01 02:46 . 2010-03-01 02:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-23 21:22 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 21:21 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 21:21 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 21:21 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 21:21 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 21:21 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 21:21 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 21:21 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 21:21 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 21:21 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 21:21 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-23 21:21 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-23 21:21 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-22 04:54 . 2010-02-22 04:54 -------- d-----w- c:\users\Trung\AppData\Local\Mendeley Ltd
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-19 03:22 . 2010-03-03 03:03 -------- d-----w- c:\program files\Mendeley Desktop
2010-02-16 20:19 . 2010-02-16 20:20 -------- d-----w- c:\program files\GREET1.8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 02:43 . 2010-02-04 20:32 -------- d-----w- c:\users\Trung\AppData\Roaming\Dropbox
2010-03-17 02:36 . 2008-04-25 20:03 -------- d-----w- c:\users\Guest\AppData\Roaming\ATI
2010-03-17 02:36 . 2008-04-25 19:59 -------- d-----w- c:\users\Guest\AppData\Roaming\Media Center Programs
2010-03-17 01:51 . 2007-11-25 20:49 -------- d-----w- c:\users\Trung\AppData\Roaming\uTorrent
2010-03-15 15:43 . 2007-11-25 20:49 -------- d-----w- c:\program files\uTorrent
2010-03-15 04:09 . 2009-08-11 18:00 -------- d-----w- c:\users\Trung\AppData\Roaming\vlc
2010-03-13 18:00 . 2007-11-24 03:06 149200 ----a-w- c:\users\Trung\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-13 00:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 23:24 . 2007-09-18 23:31 -------- d-----w- c:\programdata\Microsoft Help
2010-03-12 04:50 . 2008-10-16 19:28 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 1
2010-03-12 02:09 . 2009-09-18 14:10 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-11 19:29 . 2007-08-22 20:20 -------- d-----w- c:\programdata\McAfee
2010-03-11 00:33 . 2009-10-15 18:58 -------- d-----w- c:\programdata\Autodesk
2010-03-10 03:08 . 2007-11-29 07:01 680 ----a-w- c:\users\Trung\AppData\Local\d3d9caps.dat
2010-02-24 14:16 . 2009-10-04 19:21 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-09 20:14 . 2008-03-12 14:51 277980 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-04 14:01 . 2007-11-24 04:18 -------- d-----w- c:\program files\iTunes
2010-02-04 13:59 . 2007-11-24 04:13 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 13:56 . 2010-02-04 13:55 -------- d-----w- c:\program files\QuickTime
2010-01-29 00:34 . 2009-08-27 23:18 -------- d-----w- c:\users\Trung\AppData\Roaming\dvdcss
2010-01-21 00:12 . 2008-08-13 04:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 01:52 . 2010-01-19 01:52 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-12-18 13:01 . 2010-01-25 06:00 78336 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 220544]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Trung\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-07 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-10-29 102400]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-04 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-17 149280]

c:\users\Trung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Trung\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\E:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"RtHDVCpl"=RtHDVCpl.exe
"x3watch"=c:\program files\X3watch\x3watch.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"NDSTray.exe"=NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):91,d5,ff,ef,6d,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R2 FAH@C:+Users+Trung+Desktop+Folding+FAH504-Console.exe;FAH@C:+Users+Trung+Desktop+Folding+FAH504-Console.exe;c:\users\Trung\Desktop\Folding\FAH504-Console.exe [x]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 kbeepm;kbeepm;c:\users\Trung\AppData\Local\Temp\kbeepm.sys [x]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 2688]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2007-12-17 685816]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-06-01 252416]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1057712510-994901703-3176631456-1000Core.job
- c:\users\Trung\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-07 02:03]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1057712510-994901703-3176631456-1000UA.job
- c:\users\Trung\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-07 02:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Trung\AppData\Roaming\Mozilla\Firefox\Profiles\6ni32kcx.default\
FF - prefs.js: browser.startup.homepage - mail.google.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\users\Trung\AppData\Local\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\users\Trung\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3.1 Beta 1\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.1 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Trung\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Trung\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Trung\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
HKLM-Run-NoteBurner - c:\program files\NoteBurner\VTBurnerGUI.exe
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-Python 2.5 numpy-1.0.3 - c:\python25\\UNWISE.EXE
AddRemove-Python 2.5.1 - c:\python25\\UNWISE.EXE
AddRemove-{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D} - c:\program files\PDFCreator\unins000.exe
AddRemove-{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1 - c:\program files\BitPim\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 22:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\exfat]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@C:+Users+Trung+Desktop+Folding+FAH504-Console.exe]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1057712510-994901703-3176631456-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X*V*I*D*-*F*O*X*-*M*F*D*s*s*"!\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1057712510-994901703-3176631456-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fe,75,40,10,a2,78,ec,25,d8,b0,f2,a5,5e,a4,c5,54,14,91,e9,be,4a,60,53,
3e,c2,76,c5,e9,36,3e,09,a6,d2,bd,1d,af,ba,4e,61,7a,41,1b,17,09,b1,fc,0a,2c,\
"??"=hex:52,70,09,91,6f,23,13,4f,e6,ed,66,7c,28,0a,a2,4c

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\toshiba\IVP\ISM\pinger.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-03-16 22:59:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 02:58

Pre-Run: 48,995,192,832 bytes free
Post-Run: 50,328,956,928 bytes free

- - End Of File - - 0AF5B8A272E0853AE5494CA951D2C07D


Report •

#8
March 16, 2010 at 20:41:50
Looks good, how is the computer operating?

Delete the DDS icon from your desktop if you downloaded it.


Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#9
March 16, 2010 at 21:01:46
jabuck, you're a life-saver. Everything looks good. Thank you so much for your help.

Report •

#10
March 16, 2010 at 21:09:44
Glad we could help, happy surfing.

Report •

Ask Question