Google search redirecting, windows error msgs

January 7, 2010 at 08:59:44
Specs: Windows Vista
Hi,

Google search results are constantly redirecting me to other sites when I click on them. Also, a 'directdrd' pop up keeps opening, and I'm getting a number of windows error messages, particularly one that says 'an unauthorised change has been made to windows'. Please could you help me in locating and removing this virus? It's driving me mad and AVG isn't getting rid of it!

Thanks a lot,

James


See More: Google search redirecting, windows error msgs

Report •


#1
January 7, 2010 at 14:44:49
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Download TDSSKiller to your Desktop from the following link.

TDSSKiller


1. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. It will extract to an unzipped folder, drag TDSSKiller.exe out of that folder onto the desktop.
2. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


3. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
4. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.


Report •

#2
January 9, 2010 at 05:30:59
Malware Bytes Log:

Malwarebytes' Anti-Malware 1.44
Database version: 3526
Windows 6.0.6000
Internet Explorer 7.0.6000.16916

09/01/2010 13:27:50
mbam-log-2010-01-09 (13-27-50).txt

Scan type: Quick Scan
Objects scanned: 101188
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
C:\Windows\System32\sdra64.exe (Spyware.Zbot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\Windows\System32\0019.DLL (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\lops.tmp\svchost.exe (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\temp\vvuk.tmp\svchost.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\Windows\System32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Windows\System32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.


Report •

#3
January 9, 2010 at 05:34:59
Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37:42, on 09/01/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\James\Downloads\tools.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\0020.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5624 bytes


Report •

Related Solutions

#4
January 9, 2010 at 05:52:21
TDDS Killer Log:

13:55:11:760 3804 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
13:55:11:761 3804 ================================================================================
13:55:11:761 3804 SystemInfo:

13:55:11:761 3804 OS Version: 6.0.6000 ServicePack: 0.0
13:55:11:761 3804 Product type: Workstation
13:55:11:761 3804 ComputerName: JAMES-PC
13:55:11:762 3804 UserName: James
13:55:11:762 3804 Windows directory: C:\Windows
13:55:11:762 3804 Processor architecture: Intel x86
13:55:11:762 3804 Number of processors: 2
13:55:11:762 3804 Page size: 0x1000
13:55:11:766 3804 Boot type: Normal boot
13:55:11:766 3804 ================================================================================
13:55:11:770 3804 ForceUnloadDriver: NtUnloadDriver error 2
13:55:11:770 3804 ForceUnloadDriver: NtUnloadDriver error 2
13:55:11:771 3804 ForceUnloadDriver: NtUnloadDriver error 2
13:55:11:772 3804 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\Drivers\KLMD.sys) returned status 0
13:55:11:772 3804 main: Driver KLMD successfully dropped
13:55:11:851 3804 main: Driver KLMD successfully loaded
13:55:11:851 3804
Scanning Registry ...
13:55:11:852 3804 ScanServices: Searching service UACd.sys
13:55:11:852 3804 ScanServices: Open/Create key error 2
13:55:11:852 3804 ScanServices: Searching service TDSSserv.sys
13:55:11:852 3804 ScanServices: Open/Create key error 2
13:55:11:852 3804 ScanServices: Searching service gaopdxserv.sys
13:55:11:852 3804 ScanServices: Open/Create key error 2
13:55:11:852 3804 ScanServices: Searching service gxvxcserv.sys
13:55:11:852 3804 ScanServices: Open/Create key error 2
13:55:11:852 3804 ScanServices: Searching service MSIVXserv.sys
13:55:11:852 3804 ScanServices: Open/Create key error 2
13:55:11:855 3804 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 81C00000
13:55:11:856 3804 UnhookRegistry: Kernel local addr: 1360000
13:55:11:856 3804 UnhookRegistry: KeServiceDescriptorTable addr: 1491B00
13:55:11:859 3804 UnhookRegistry: KiServiceTable addr: 13E07B4
13:55:11:859 3804 UnhookRegistry: NtEnumerateKey service number (local): 85
13:55:11:859 3804 UnhookRegistry: NtEnumerateKey local addr: 1497F06
13:55:11:869 3804 KLMD_OpenDevice: Trying to open KLMD device
13:55:11:869 3804 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
13:55:11:869 3804 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
13:55:11:869 3804 KLMD_ReadMem: Trying to ReadMemory 0x81C7E735[0x4]
13:55:11:869 3804 UnhookRegistry: NtEnumerateKey service number (kernel): 85
13:55:11:869 3804 KLMD_ReadMem: Trying to ReadMemory 0x81C809C8[0x4]
13:55:11:869 3804 UnhookRegistry: NtEnumerateKey real addr: 81D37F06
13:55:11:870 3804 UnhookRegistry: NtEnumerateKey calc addr: 81D37F06
13:55:11:870 3804 UnhookRegistry: No SDT hooks found on NtEnumerateKey
13:55:11:870 3804 KLMD_ReadMem: Trying to ReadMemory 0x81D37F06[0xA]
13:55:11:870 3804 UnhookRegistry: No splicing found on NtEnumerateKey
13:55:11:873 3804
Scanning Kernel memory ...
13:55:11:874 3804 KLMD_OpenDevice: Trying to open KLMD device
13:55:11:874 3804 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
13:55:11:874 3804 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
13:55:11:874 3804 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8413DA18
13:55:11:874 3804 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
13:55:11:874 3804 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8951DAD8
13:55:11:874 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8951DAD8
13:55:11:874 3804 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 89523AB8
13:55:11:874 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89523AB8
13:55:11:874 3804 KLMD_ReadMem: Trying to ReadMemory 0x89523AB8[0x38]
13:55:11:874 3804 DetectCureTDL3: DRIVER_OBJECT addr: 84EAB418
13:55:11:874 3804 KLMD_ReadMem: Trying to ReadMemory 0x84EAB418[0xA8]
13:55:11:874 3804 KLMD_ReadMem: Trying to ReadMemory 0x84EAB3C8[0x208]
13:55:11:875 3804 13:55:11:875 3804 DetectCureTDL3: IrpHandler (0) addr: 886640DC
13:55:11:875 3804 DetectCureTDL3: IrpHandler (1) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (2) addr: 88664120
13:55:11:875 3804 DetectCureTDL3: IrpHandler (3) addr: 88664248
13:55:11:875 3804 DetectCureTDL3: IrpHandler (4) addr: 8866434A
13:55:11:875 3804 DetectCureTDL3: IrpHandler (5) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (6) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (7) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (8) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (9) addr: 886641B8
13:55:11:875 3804 DetectCureTDL3: IrpHandler (10) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (11) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (12) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (13) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (14) addr: 88664164
13:55:11:875 3804 DetectCureTDL3: IrpHandler (15) addr: 8866418E
13:55:11:875 3804 DetectCureTDL3: IrpHandler (16) addr: 88664294
13:55:11:875 3804 DetectCureTDL3: IrpHandler (17) addr: 88633528
13:55:11:875 3804 DetectCureTDL3: IrpHandler (18) addr: 8866406C
13:55:11:876 3804 DetectCureTDL3: IrpHandler (19) addr: 88633528
13:55:11:876 3804 DetectCureTDL3: IrpHandler (20) addr: 88633528
13:55:11:876 3804 DetectCureTDL3: IrpHandler (21) addr: 88633528
13:55:11:876 3804 DetectCureTDL3: IrpHandler (22) addr: 8866421E
13:55:11:876 3804 DetectCureTDL3: IrpHandler (23) addr: 886642E0
13:55:11:876 3804 DetectCureTDL3: IrpHandler (24) addr: 88633528
13:55:11:876 3804 DetectCureTDL3: IrpHandler (25) addr: 88633528
13:55:11:876 3804 DetectCureTDL3: IrpHandler (26) addr: 88633528
13:55:11:876 3804 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
13:55:11:876 3804 KLMD_ReadMem: DeviceIoControl error 1
13:55:11:876 3804 TDL3_StartIoHookDetect: Unable to get StartIo handler code
13:55:11:876 3804 13:55:11:876 3804 13:55:11:876 3804 13:55:11:876 3804 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 89591718
13:55:11:876 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89591718
13:55:11:876 3804 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 89591C70
13:55:11:877 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89591C70
13:55:11:877 3804 KLMD_ReadMem: Trying to ReadMemory 0x89591C70[0x38]
13:55:11:877 3804 DetectCureTDL3: DRIVER_OBJECT addr: 84EAB418
13:55:11:877 3804 KLMD_ReadMem: Trying to ReadMemory 0x84EAB418[0xA8]
13:55:11:877 3804 KLMD_ReadMem: Trying to ReadMemory 0x84EAB3C8[0x208]
13:55:11:877 3804 13:55:11:877 3804 DetectCureTDL3: IrpHandler (0) addr: 886640DC
13:55:11:877 3804 DetectCureTDL3: IrpHandler (1) addr: 88633528
13:55:11:877 3804 DetectCureTDL3: IrpHandler (2) addr: 88664120
13:55:11:877 3804 DetectCureTDL3: IrpHandler (3) addr: 88664248
13:55:11:877 3804 DetectCureTDL3: IrpHandler (4) addr: 8866434A
13:55:11:877 3804 DetectCureTDL3: IrpHandler (5) addr: 88633528
13:55:11:877 3804 DetectCureTDL3: IrpHandler (6) addr: 88633528
13:55:11:877 3804 DetectCureTDL3: IrpHandler (7) addr: 88633528
13:55:11:877 3804 DetectCureTDL3: IrpHandler (8) addr: 88633528
13:55:11:877 3804 DetectCureTDL3: IrpHandler (9) addr: 886641B8
13:55:11:877 3804 DetectCureTDL3: IrpHandler (10) addr: 88633528
13:55:11:877 3804 DetectCureTDL3: IrpHandler (11) addr: 88633528
13:55:11:877 3804 DetectCureTDL3: IrpHandler (12) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (13) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (14) addr: 88664164
13:55:11:878 3804 DetectCureTDL3: IrpHandler (15) addr: 8866418E
13:55:11:878 3804 DetectCureTDL3: IrpHandler (16) addr: 88664294
13:55:11:878 3804 DetectCureTDL3: IrpHandler (17) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (18) addr: 8866406C
13:55:11:878 3804 DetectCureTDL3: IrpHandler (19) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (20) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (21) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (22) addr: 8866421E
13:55:11:878 3804 DetectCureTDL3: IrpHandler (23) addr: 886642E0
13:55:11:878 3804 DetectCureTDL3: IrpHandler (24) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (25) addr: 88633528
13:55:11:878 3804 DetectCureTDL3: IrpHandler (26) addr: 88633528
13:55:11:878 3804 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
13:55:11:878 3804 KLMD_ReadMem: DeviceIoControl error 1
13:55:11:878 3804 TDL3_StartIoHookDetect: Unable to get StartIo handler code
13:55:11:878 3804 13:55:11:879 3804 13:55:11:879 3804 13:55:11:879 3804 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 84140AD8
13:55:11:879 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84140AD8
13:55:11:879 3804 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 833418E8
13:55:11:879 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 833418E8
13:55:11:879 3804 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 83768030
13:55:11:879 3804 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83768030
13:55:11:879 3804 KLMD_ReadMem: Trying to ReadMemory 0x83768030[0x38]
13:55:11:879 3804 DetectCureTDL3: DRIVER_OBJECT addr: 84DBA770
13:55:11:879 3804 KLMD_ReadMem: Trying to ReadMemory 0x84DBA770[0xA8]
13:55:11:879 3804 KLMD_ReadMem: Trying to ReadMemory 0x83767BB0[0x38]
13:55:11:879 3804 KLMD_ReadMem: Trying to ReadMemory 0x8375C370[0xA8]
13:55:11:879 3804 KLMD_ReadMem: Trying to ReadMemory 0x8375C320[0x208]
13:55:11:879 3804 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
13:55:11:879 3804 DetectCureTDL3: IrpHandler (0) addr: 84179841
13:55:11:879 3804 DetectCureTDL3: IrpHandler (1) addr: 84179841
13:55:11:879 3804 DetectCureTDL3: IrpHandler (2) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (3) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (4) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (5) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (6) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (7) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (8) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (9) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (10) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (11) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (12) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (13) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (14) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (15) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (16) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (17) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (18) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (19) addr: 84179841
13:55:11:880 3804 DetectCureTDL3: IrpHandler (20) addr: 84179841
13:55:11:881 3804 DetectCureTDL3: IrpHandler (21) addr: 84179841
13:55:11:881 3804 DetectCureTDL3: IrpHandler (22) addr: 84179841
13:55:11:881 3804 DetectCureTDL3: IrpHandler (23) addr: 84179841
13:55:11:881 3804 DetectCureTDL3: IrpHandler (24) addr: 84179841
13:55:11:881 3804 DetectCureTDL3: IrpHandler (25) addr: 84179841
13:55:11:881 3804 DetectCureTDL3: IrpHandler (26) addr: 84179841
13:55:11:881 3804 DetectCureTDL3: All IRP handlers pointed to one addr: 84179841
13:55:11:881 3804 KLMD_ReadMem: Trying to ReadMemory 0x84179841[0x400]
13:55:11:881 3804 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
13:55:11:881 3804 Driver "atapi" Irp handler infected by TDSS rootkit ... 13:55:11:882 3804 KLMD_WriteMem: Trying to WriteMemory 0x841798BA[0xD]
13:55:11:882 3804 cured
13:55:11:883 3804 KLMD_ReadMem: Trying to ReadMemory 0x841796EC[0x400]
13:55:11:883 3804 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 249, 0
13:55:11:883 3804 TDL3_FileDetect: Processing driver: atapi
13:55:11:883 3804 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\atapi.sys, C:\Windows\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk
13:55:11:883 3804 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
13:55:11:883 3804 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
13:55:11:911 3804 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 13:55:11:912 3804 TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
13:55:11:912 3804 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
13:55:11:933 3804 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\Drivers\atapi.tsk
13:55:12:069 3804 TDL3_FileCure: Image path (system32\Drivers\atapi.tsk) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
13:55:12:069 3804 TDL3_FileCure: KLMD_PendCopyFileW (C:\Windows\system32\Drivers\atapi.tsk, C:\Windows\system32\drivers\atapi.sys) success
13:55:12:069 3804 will be cured on next reboot
13:55:12:072 3804
Completed

Results:
13:55:12:073 3804 Infected objects in memory: 1
13:55:12:073 3804 Cured objects in memory: 1
13:55:12:074 3804 Infected objects on disk: 1
13:55:12:074 3804 Objects on disk cured on reboot: 1
13:55:12:074 3804 Objects on disk deleted on reboot: 0
13:55:12:075 3804 Registry nodes deleted on reboot: 0
13:55:12:075 3804


Report •

#5
January 9, 2010 at 05:57:49
Had a bit of a problem with TDDS Killer. When I rebooted after the scan - it said it needed to reboot to fix the error it found - windows wouldn't load because C:\Windows\system32\drivers\atapi.sys was corrupt or missing. As a result, I had to boot from last successful settings, meaning TDDS hasn't fixed this problem. When it tries to on reboot, it corrupts the file and stops Windows loading. Any ideas?

Report •

#6
January 9, 2010 at 06:00:55
RSIT Log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by James at 2010-01-09 14:03:00
Microsoft® Windows Vista™ Ultimate
System drive C: has 68 GB (65%) free of 105 GB
Total RAM: 1014 MB (36% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:03:08, on 09/01/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\James\Downloads\RSIT.exe
C:\Program Files\trend micro\James.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\0020.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5919 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-02 1004136]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-07-03 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-07-03 154136]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-06-26 137752]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-10-28 141600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-10-29 1232896]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2006-11-02 125440]
"Steam"=C:\Program Files\Steam\Steam.exe [2009-11-03 1217808]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\Windows\system32\0020.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-06-26 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-01-09 14:03:00 ----D---- C:\rsit
2010-01-09 14:03:00 ----D---- C:\Program Files\trend micro
2010-01-09 13:55:11 ----A---- C:\TDSSKiller.2.1.1_09.01.2010_13.55.11_log.txt
2010-01-09 13:18:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-09 03:54:32 ----A---- C:\Windows\system32\0020.DLL
2010-01-09 03:54:20 ----AH---- C:\Windows\system32\wexe.exe
2010-01-03 18:11:07 ----D---- C:\Windows\Minidump
2010-01-02 18:04:22 ----SD---- C:\Combo-Fix7120C
2010-01-02 18:03:45 ----D---- C:\32788R22FWJFW
2010-01-02 17:19:46 ----D---- C:\Users\James\AppData\Roaming\Malwarebytes
2010-01-02 17:19:36 ----D---- C:\ProgramData\Malwarebytes
2010-01-02 11:17:47 ----SHD---- C:\$RECYCLE.BIN
2010-01-02 11:13:21 ----D---- C:\Windows\temp
2010-01-02 11:03:35 ----A---- C:\Windows\zip.exe
2010-01-02 11:03:35 ----A---- C:\Windows\SWXCACLS.exe
2010-01-02 11:03:35 ----A---- C:\Windows\SWSC.exe
2010-01-02 11:03:35 ----A---- C:\Windows\SWREG.exe
2010-01-02 11:03:35 ----A---- C:\Windows\sed.exe
2010-01-02 11:03:35 ----A---- C:\Windows\PEV.exe
2010-01-02 11:03:35 ----A---- C:\Windows\NIRCMD.exe
2010-01-02 11:03:35 ----A---- C:\Windows\MBR.exe
2010-01-02 11:03:35 ----A---- C:\Windows\grep.exe
2010-01-02 11:03:19 ----D---- C:\Windows\ERDNT
2010-01-02 10:52:19 ----D---- C:\Qoobox
2010-01-02 10:32:32 ----D---- C:\Program Files\AVG
2010-01-02 10:32:31 ----D---- C:\ProgramData\avg9
2010-01-01 22:21:28 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-01-01 22:21:28 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-01 21:39:20 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2010-01-01 21:38:37 ----D---- C:\Users\James\AppData\Roaming\SUPERAntiSpyware.com
2010-01-01 21:38:37 ----D---- C:\Program Files\SUPERAntiSpyware
2010-01-01 21:37:30 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-22 14:55:40 ----D---- C:\Intel
2009-12-22 14:43:10 ----D---- C:\Program Files\Ken Salter

======List of files/folders modified in the last 1 months======

2010-01-09 14:03:08 ----D---- C:\Windows\Prefetch
2010-01-09 14:03:00 ----RD---- C:\Program Files
2010-01-09 14:01:05 ----D---- C:\Users\James\AppData\Roaming\Skype
2010-01-09 13:59:58 ----D---- C:\Program Files\Steam
2010-01-09 13:59:08 ----D---- C:\Program Files\Mozilla Firefox
2010-01-09 13:51:08 ----D---- C:\Windows\System32
2010-01-09 13:51:08 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-01-09 13:51:07 ----D---- C:\Windows\inf
2010-01-09 13:44:40 ----SHD---- C:\System Volume Information
2010-01-09 13:41:46 ----D---- C:\Windows\system32\drivers
2010-01-09 13:30:21 ----RSD---- C:\Windows\assembly
2010-01-09 13:10:05 ----SD---- C:\Users\James\AppData\Roaming\Microsoft
2010-01-09 13:10:05 ----D---- C:\Windows
2010-01-09 13:09:58 ----D---- C:\ProgramData
2010-01-09 13:03:36 ----D---- C:\Users\James\AppData\Roaming\skypePM
2010-01-09 04:00:31 ----D---- C:\Windows\system32\spool
2010-01-03 18:11:28 ----D---- C:\ProgramData\NOS
2010-01-03 18:11:19 ----SD---- C:\Windows\Downloaded Program Files
2010-01-02 18:21:44 ----SHD---- C:\Windows\Installer
2010-01-02 17:58:51 ----D---- C:\Windows\Cursors
2010-01-02 11:14:12 ----A---- C:\Windows\system.ini
2010-01-02 11:10:03 ----D---- C:\Windows\AppPatch
2010-01-02 11:10:02 ----D---- C:\Program Files\Common Files
2010-01-02 10:32:05 ----D---- C:\Windows\winsxs
2010-01-02 10:31:44 ----D---- C:\Program Files\Common Files\microsoft shared
2010-01-02 10:22:53 ----D---- C:\Windows\Tasks
2010-01-01 21:36:13 ----D---- C:\Windows\system32\Tasks
2010-01-01 20:46:35 ----AD---- C:\ProgramData\TEMP

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2009-10-29 320000]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-12-16 74480]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-12-06 761856]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-06-26 1776128]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-12-16 7408]
R3 SNC;Sony Firmware Extension Parser Device; C:\Windows\System32\Drivers\SonyNC.sys [2009-10-29 27520]
R3 ti21sony;ti21sony; C:\Windows\system32\drivers\ti21sony.sys [2007-04-23 812544]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 194048]
S3 catchme;catchme; \??\C:\Users\James\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-06-26 1776128]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2006-11-02 22016]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-10-28 545568]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2006-11-02 22016]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2006-11-02 521216]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-11-01 320760]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2006-11-02 22016]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2006-11-02 562176]

-----------------EOF-----------------


Report •

#7
January 9, 2010 at 06:01:35
RSIT Info Log:

info.txt logfile of random's system information tool 1.06 2010-01-09 14:03:10

======Uninstall list======

Acrobat.com-->msiexec /qb /x {6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Acrobat.com-->MsiExec.exe /I{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
AlacrityPC-->MsiExec.exe /I{B6D0F294-B844-4FAF-9993-FAC10E9E0F94}
Apple Application Support-->MsiExec.exe /I{B607C354-CD79-4D22-86D1-92DC94153F42}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
BitTorrent-->C:\Program Files\BitTorrent\uninst.exe
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
EASEUS Deleted File Recovery 2.1.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{865A8951-8D9A-46CB-84A2-3D67BA38B923}\setup.exe" -l0x9 -removeonly
Football Manager 2010-->"C:\Program Files\Steam\steam.exe" steam://uninstall/34000
HijackThis 2.0.2-->"C:\Users\James\Downloads\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
iTunes-->MsiExec.exe /I{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Mozilla Firefox (3.5.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
PC Inspector File Recovery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
Recover My Files-->"C:\Program Files\GetData\Recover My Files v4\unins000.exe"
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AS: Windows Defender (outdated)
AS: SUPERAntiSpyware

======System event log======

Computer Name: James-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {80EEA67D-2A6C-4BE5-BA83-18B6B3A74DB6}
User: James-PC\James
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: driver:KLMD
Alert Type: Unclassified software
Detection Type:
Record Number: 30650
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20100109134148.000000-000
Event Type: Warning
User:

Computer Name: James-PC
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 30655
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20100109134249.938800-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: James-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {F43C98FE-32D2-464A-A5D9-B5E575734CE8}
User: James-PC\James
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: driver:KLMD
Alert Type: Unclassified software
Detection Type:
Record Number: 30669
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20100109135514.000000-000
Event Type: Warning
User:

Computer Name: James-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {C8C4B67C-165C-4D96-912A-2AF074AA0EF4}
User: James-PC\James
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: service:KLMD
Alert Type: Unclassified software
Detection Type:
Record Number: 30670
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20100109135514.000000-000
Event Type: Warning
User:

Computer Name: James-PC
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 30676
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20100109135708.596200-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: James-PC
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16916, time stamp 0x4a966cea, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc0000374, fault offset 0x000af1c9, process id 0xb18, application start time 0x01ca912d62bf4380.
Record Number: 1872
Source Name: Application Error
Time Written: 20100109131235.000000-000
Event Type: Error
User:

Computer Name: James-PC
Event Code: 1022
Message: The system has been tampered. hr=0xC004D401
Record Number: 1875
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20100109131833.000000-000
Event Type: Warning
User:

Computer Name: James-PC
Event Code: 1022
Message: The system has been tampered. hr=0xC004D401
Record Number: 1876
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20100109131836.000000-000
Event Type: Warning
User:

Computer Name: James-PC
Event Code: 1022
Message: The system has been tampered. hr=0xC004D401
Record Number: 1877
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20100109131837.000000-000
Event Type: Warning
User:

Computer Name: James-PC
Event Code: 8193
Message: License Activation Scheduler (SLUINotify.dll) failed with the following error code:
0xC004D401
Record Number: 1878
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20100109131842.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: James-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-21-1610590215-151946896-3371143812-1000
Account Name: James
Account Domain: James-PC
Logon ID: 0x2f04f

Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
Record Number: 4622
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100109135839.103804-000
Event Type: Audit Success
User:

Computer Name: James-PC
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 4623
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100109135839.244204-000
Event Type: Audit Failure
User:

Computer Name: James-PC
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 4624
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100109135839.244204-000
Event Type: Audit Failure
User:

Computer Name: James-PC
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 4625
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100109135839.244204-000
Event Type: Audit Failure
User:

Computer Name: James-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Program Files\SUPERAntiSpyware\SASENUM.SYS
Record Number: 4626
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100109135852.083004-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 12, GenuineIntel
"PROCESSOR_REVISION"=0e0c
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------


Report •

#8
January 9, 2010 at 07:12:19
I don't see an antivirus program running, to continue you need to install one.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

We will need to disable the antivirus program to run some scans.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

If it does not uninstall then navigate to and delete these files/folders if found:


Desktop icon
C:\Combofix.txt
C:\Combofix
C:\Combo-Fix7120C
C:\32788R22FWJFW

Remember..your AVG antivirus and Windows Defender must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#9
January 10, 2010 at 06:01:36
Thanks for all your help so far. Here's the ComboFix Log:

ComboFix 10-01-04.01 - James 10/01/2010 13:18:07.4.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.44.1033.18.1014.241 [GMT 0:00]
Running from: c:\users\James\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\0020.DLL
c:\windows\system32\WORK.DAT

.
((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-10 13:26 . 2010-01-10 13:26 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-10 13:26 . 2010-01-10 13:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-10 13:15 . 2010-01-10 13:16 -------- d-----w- C:\32788R22FWJFW
2010-01-10 13:04 . 2010-01-10 13:04 -------- d-----w- C:\$AVG
2010-01-10 13:03 . 2010-01-10 13:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-10 13:03 . 2010-01-10 13:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-10 13:03 . 2010-01-10 13:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-10 13:03 . 2010-01-10 13:03 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-10 13:02 . 2010-01-10 13:03 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-09 14:03 . 2010-01-09 14:03 -------- d-----w- C:\rsit
2010-01-09 14:03 . 2010-01-09 14:03 -------- d-----w- c:\program files\trend micro
2010-01-09 13:41 . 2010-01-09 13:55 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-09 13:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 13:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 13:18 . 2010-01-09 13:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 03:54 . 2010-01-09 03:54 37888 ---ha-w- c:\windows\system32\wexe.exe
2010-01-06 04:05 . 2010-01-10 12:51 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-02 17:19 . 2010-01-02 17:19 -------- d-----w- c:\users\James\AppData\Roaming\Malwarebytes
2010-01-02 17:19 . 2010-01-02 17:19 -------- d-----w- c:\programdata\Malwarebytes
2010-01-02 11:17 . 2010-01-10 13:30 -------- d-----w- c:\users\James\AppData\Local\temp
2010-01-02 10:32 . 2010-01-02 10:32 -------- d-----w- c:\program files\AVG
2010-01-02 10:32 . 2010-01-10 13:01 -------- d-----w- c:\programdata\avg9
2010-01-01 22:21 . 2010-01-09 13:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 22:21 . 2010-01-09 13:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 21:39 . 2010-01-01 21:39 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-01 21:38 . 2010-01-01 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 21:38 . 2010-01-01 21:38 -------- d-----w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com
2010-01-01 21:37 . 2010-01-01 21:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-22 15:08 . 2009-12-22 15:08 -------- d-----w- c:\users\James\AppData\Local\Ken_Salter
2009-12-22 14:55 . 2009-12-22 14:55 -------- d-----w- C:\Intel
2009-12-22 14:43 . 2009-12-22 14:43 -------- d-----w- c:\program files\Ken Salter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 13:31 . 2009-11-22 18:06 -------- d-----w- c:\users\James\AppData\Roaming\Skype
2010-01-10 13:30 . 2009-11-01 15:46 -------- d-----w- c:\program files\Steam
2010-01-09 13:55 . 2010-01-09 13:41 19048 ----a-w- c:\windows\system32\drivers\atapi.tsk
2010-01-09 13:03 . 2009-11-22 18:09 -------- d-----w- c:\users\James\AppData\Roaming\skypePM
2010-01-03 18:11 . 2009-10-29 14:38 -------- d-----w- c:\programdata\NOS
2010-01-02 18:22 . 2010-01-03 10:44 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-02 18:22 . 2010-01-03 10:44 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-02 18:22 . 2010-01-03 10:44 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-02 18:22 . 2010-01-03 10:44 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-02 18:22 . 2010-01-03 10:44 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-02 18:22 . 2010-01-03 10:44 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-01 21:40 . 2010-01-01 21:40 52224 ----a-w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 21:40 . 2010-01-01 21:40 117760 ----a-w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-04 20:54 . 2009-12-04 20:54 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-22 18:09 . 2009-11-22 18:09 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-22 18:05 . 2009-11-22 18:04 -------- d-----r- c:\program files\Skype
2009-11-22 18:04 . 2009-11-22 18:04 -------- d-----w- c:\program files\Common Files\Skype
2009-11-22 18:04 . 2009-11-22 18:04 -------- d-----w- c:\programdata\Skype
2009-11-15 21:46 . 2009-11-15 21:46 -------- d-----w- c:\program files\Microsoft
2009-11-15 21:46 . 2009-11-15 21:45 -------- d-----w- c:\program files\Windows Live
2009-11-15 21:45 . 2009-11-15 21:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-15 21:43 . 2009-11-15 21:43 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-15 18:41 . 2009-11-15 18:41 -------- d-----w- c:\program files\MSECache
2009-11-15 14:04 . 2009-11-07 11:18 -------- d-----w- c:\users\James\AppData\Roaming\BitTorrent
2009-11-14 09:16 . 2009-11-14 09:16 -------- d-----w- c:\program files\EASEUS
2009-11-14 09:16 . 2009-10-29 15:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 22:15 . 2009-11-03 22:15 268800 ----a-w- c:\windows\system32\es.dll
2009-11-03 20:36 . 2009-11-03 20:36 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-03 20:36 . 2009-11-03 20:36 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-03 20:36 . 2009-11-03 20:36 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-03 20:36 . 2009-11-03 20:36 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-03 20:35 . 2009-11-03 20:35 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-03 20:35 . 2009-11-03 20:35 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-03 20:35 . 2009-11-03 20:35 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-03 20:35 . 2009-11-03 20:35 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-03 20:35 . 2009-11-03 20:35 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-02 20:42 . 2009-10-29 20:11 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 22:00 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 08:00 . 2009-10-31 08:00 1585664 ----a-w- c:\windows\system32\setupapi.dll
2009-10-29 21:06 . 2009-10-29 21:06 0 ----a-w- c:\windows\nsreg.dat
2009-10-29 20:36 . 2009-10-29 20:36 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-29 20:35 . 2009-10-29 20:35 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-10-29 20:35 . 2009-10-29 20:35 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-10-29 20:35 . 2009-10-29 20:35 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-10-29 20:35 . 2009-10-29 20:35 272896 ----a-w- c:\windows\system32\polstore.dll
2009-10-29 20:34 . 2009-10-29 20:34 87040 ----a-w- c:\windows\system32\msoert2.dll
2009-10-29 20:34 . 2009-10-29 20:34 39424 ----a-w- c:\windows\system32\ACCTRES.dll
2009-10-29 20:34 . 2009-10-29 20:34 205824 ----a-w- c:\windows\system32\msoeacct.dll
2009-10-29 20:32 . 2009-10-29 20:32 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-10-29 20:32 . 2009-10-29 20:32 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-10-29 20:31 . 2009-10-29 20:31 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-10-29 20:31 . 2009-10-29 20:31 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-10-29 20:31 . 2009-10-29 20:31 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-10-29 20:31 . 2009-10-29 20:31 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-10-29 20:31 . 2009-10-29 20:31 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-10-29 20:31 . 2009-10-29 20:31 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-10-29 20:30 . 2009-10-29 20:30 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-10-29 20:30 . 2009-10-29 20:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-10-29 20:30 . 2009-10-29 20:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-10-29 20:30 . 2009-10-29 20:30 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-10-29 20:30 . 2009-10-29 20:30 24064 ----a-w- c:\windows\system32\lpk.dll
2009-10-29 20:30 . 2009-10-29 20:30 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-10-29 20:30 . 2009-10-29 20:30 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-10-29 20:29 . 2009-10-29 20:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-29 20:28 . 2009-10-29 20:28 49664 ----a-w- c:\windows\system32\csrsrv.dll
2009-10-29 20:28 . 2009-10-29 20:28 376320 ----a-w- c:\windows\system32\winsrv.dll
2009-10-29 20:28 . 2009-10-29 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
2009-10-29 20:28 . 2009-10-29 20:28 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-10-29 20:28 . 2009-10-29 20:28 2855424 ----a-w- c:\windows\system32\mf.dll
2009-10-29 20:28 . 2009-10-29 20:28 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-10-29 20:28 . 2009-10-29 20:28 2048 ----a-w- c:\windows\system32\mferror.dll
2009-10-29 20:26 . 2009-10-29 20:26 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-10-29 20:25 . 2009-10-29 20:25 72704 ----a-w- c:\windows\system32\admparse.dll
2009-10-29 20:25 . 2009-10-29 20:25 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 20:25 . 2009-10-29 20:25 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-10-29 20:25 . 2009-10-29 20:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 20:25 . 2009-10-29 20:25 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-10-29 20:25 . 2009-10-29 20:25 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-29 20:25 . 2009-10-29 20:25 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-10-29 20:23 . 2009-10-29 20:23 71680 ----a-w- c:\windows\system32\atl.dll
2009-10-29 20:23 . 2009-10-29 20:23 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-10-29 20:21 . 2009-10-29 20:21 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-29 20:21 . 2009-10-29 20:21 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-29 20:20 . 2009-10-29 20:20 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-10-29 20:20 . 2009-10-29 20:20 374456 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-10-29 20:19 . 2009-10-29 20:19 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-10-29 20:19 . 2009-10-29 20:19 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-10-29 20:19 . 2009-10-29 20:19 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-10-29 20:18 . 2009-10-29 20:18 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-10-29 20:18 . 2009-10-29 20:18 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-10-29 20:18 . 2009-10-29 20:18 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-10-29 20:18 . 2009-10-29 20:18 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-10-29 20:17 . 2009-10-29 20:17 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-10-29 20:17 . 2009-10-29 20:17 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-10-29 20:17 . 2009-10-29 20:17 414208 ----a-w- c:\windows\system32\msscp.dll
2009-10-29 20:16 . 2009-10-29 20:16 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2009-10-29 20:16 . 2009-10-29 20:16 86016 ----a-w- c:\windows\system32\icfupgd.dll
2009-10-29 20:16 . 2009-10-29 20:16 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2009-10-29 20:16 . 2009-10-29 20:16 61952 ----a-w- c:\windows\system32\cmifw.dll
2009-10-29 20:16 . 2009-10-29 20:16 396800 ----a-w- c:\windows\system32\MPSSVC.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-10-29 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-03 1217808]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-03 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-26 137752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-10 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1610590215-151946896-3371143812-1000]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/01/2010 13:03 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/01/2010 13:03 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/01/2010 13:02 285392]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [23/04/2007 13:29 812544]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\62yai7ml.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\users\James\Downloads\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 13:32
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84565841]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82955d1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x8075c9ae
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\vssvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\AVG\AVG9\avgnsx.exe
.
**************************************************************************
.
Completion time: 2010-01-10 13:38:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 13:38

Pre-Run: 71,075,631,104 bytes free
Post-Run: 71,579,332,608 bytes free

- - End Of File - - 0F5A5E7BB056BC75B52CB3972335382E


Report •

#10
January 10, 2010 at 07:27:10
Do you still get the error and redirects?

Report •

#11
January 10, 2010 at 08:05:29
Unfortunately, yes... Anything else I can do?

Report •

#12
January 10, 2010 at 19:49:47
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\wexe.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#13
January 11, 2010 at 13:24:17
ComboFix Log:

ComboFix 10-01-11.01 - James 11/01/2010 20:45:10.5.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.44.1033.18.1014.343 [GMT 0:00]
Running from: c:\users\James\Desktop\Combo-Fix.exe
Command switches used :: c:\users\James\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\wexe.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wexe.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 20:53 . 2010-01-11 21:18 -------- d-----w- c:\users\James\AppData\Local\temp
2010-01-11 20:53 . 2010-01-11 20:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-11 20:53 . 2010-01-11 20:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-11 20:39 . 2010-01-11 20:40 -------- d-----w- C:\32788R22FWJFW
2010-01-10 13:04 . 2010-01-10 13:04 -------- d-----w- C:\$AVG
2010-01-10 13:03 . 2010-01-10 13:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-10 13:03 . 2010-01-10 13:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-10 13:03 . 2010-01-10 13:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-10 13:03 . 2010-01-10 13:03 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-02 17:19 . 2010-01-02 17:19 -------- d-----w- c:\users\James\AppData\Roaming\Malwarebytes
2010-01-02 17:19 . 2010-01-02 17:19 -------- d-----w- c:\programdata\Malwarebytes
2010-01-02 10:32 . 2010-01-02 10:32 -------- d-----w- c:\program files\AVG
2010-01-02 10:32 . 2010-01-10 13:01 -------- d-----w- c:\programdata\avg9
2010-01-01 22:21 . 2010-01-09 13:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 22:21 . 2010-01-09 13:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 21:40 . 2010-01-01 21:40 52224 ----a-w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 21:40 . 2010-01-01 21:40 117760 ----a-w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 21:39 . 2010-01-01 21:39 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-01 21:38 . 2010-01-01 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 21:38 . 2010-01-01 21:38 -------- d-----w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com
2010-01-01 21:37 . 2010-01-01 21:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-22 15:08 . 2009-12-22 15:08 -------- d-----w- c:\users\James\AppData\Local\Ken_Salter
2009-12-22 14:55 . 2009-12-22 14:55 -------- d-----w- C:\Intel
2009-12-22 14:43 . 2009-12-22 14:43 -------- d-----w- c:\program files\Ken Salter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 21:20 . 2009-11-22 18:06 -------- d-----w- c:\users\James\AppData\Roaming\Skype
2010-01-11 21:19 . 2009-11-01 15:46 -------- d-----w- c:\program files\Steam
2010-01-10 16:00 . 2009-11-22 18:09 -------- d-----w- c:\users\James\AppData\Roaming\skypePM
2010-01-10 13:02 . 2010-01-03 10:44 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-10 13:02 . 2010-01-03 10:44 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-10 13:02 . 2010-01-03 10:44 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-10 13:02 . 2010-01-03 10:44 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-10 13:02 . 2010-01-03 10:44 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-10 13:02 . 2010-01-03 10:44 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-10 12:51 . 2010-01-06 04:05 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-09 14:03 . 2010-01-09 14:03 -------- d-----w- c:\program files\trend micro
2010-01-09 13:55 . 2010-01-09 13:41 19048 ----a-w- c:\windows\system32\drivers\atapi.tsk
2010-01-09 13:55 . 2010-01-09 13:41 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-09 13:18 . 2010-01-09 13:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 16:07 . 2010-01-09 13:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2010-01-09 13:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 18:11 . 2009-10-29 14:38 -------- d-----w- c:\programdata\NOS
2009-12-04 20:54 . 2009-12-04 20:54 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-22 18:09 . 2009-11-22 18:09 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-22 18:05 . 2009-11-22 18:04 -------- d-----r- c:\program files\Skype
2009-11-22 18:04 . 2009-11-22 18:04 -------- d-----w- c:\program files\Common Files\Skype
2009-11-22 18:04 . 2009-11-22 18:04 -------- d-----w- c:\programdata\Skype
2009-11-15 21:46 . 2009-11-15 21:46 -------- d-----w- c:\program files\Microsoft
2009-11-15 21:46 . 2009-11-15 21:45 -------- d-----w- c:\program files\Windows Live
2009-11-15 21:45 . 2009-11-15 21:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-15 21:43 . 2009-11-15 21:43 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-15 18:41 . 2009-11-15 18:41 -------- d-----w- c:\program files\MSECache
2009-11-15 14:04 . 2009-11-07 11:18 -------- d-----w- c:\users\James\AppData\Roaming\BitTorrent
2009-11-14 09:16 . 2009-11-14 09:16 -------- d-----w- c:\program files\EASEUS
2009-11-14 09:16 . 2009-10-29 15:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 22:15 . 2009-11-03 22:15 268800 ----a-w- c:\windows\system32\es.dll
2009-11-03 20:36 . 2009-11-03 20:36 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-03 20:36 . 2009-11-03 20:36 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-03 20:36 . 2009-11-03 20:36 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-03 20:36 . 2009-11-03 20:36 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-03 20:35 . 2009-11-03 20:35 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-03 20:35 . 2009-11-03 20:35 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-03 20:35 . 2009-11-03 20:35 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-03 20:35 . 2009-11-03 20:35 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-03 20:35 . 2009-11-03 20:35 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-02 20:42 . 2009-10-29 20:11 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 22:00 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 08:00 . 2009-10-31 08:00 1585664 ----a-w- c:\windows\system32\setupapi.dll
2009-10-29 21:06 . 2009-10-29 21:06 0 ----a-w- c:\windows\nsreg.dat
2009-10-29 20:36 . 2009-10-29 20:36 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-29 20:35 . 2009-10-29 20:35 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-10-29 20:35 . 2009-10-29 20:35 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-10-29 20:35 . 2009-10-29 20:35 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-10-29 20:35 . 2009-10-29 20:35 272896 ----a-w- c:\windows\system32\polstore.dll
2009-10-29 20:34 . 2009-10-29 20:34 87040 ----a-w- c:\windows\system32\msoert2.dll
2009-10-29 20:34 . 2009-10-29 20:34 39424 ----a-w- c:\windows\system32\ACCTRES.dll
2009-10-29 20:34 . 2009-10-29 20:34 205824 ----a-w- c:\windows\system32\msoeacct.dll
2009-10-29 20:32 . 2009-10-29 20:32 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-10-29 20:32 . 2009-10-29 20:32 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-10-29 20:31 . 2009-10-29 20:31 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-10-29 20:31 . 2009-10-29 20:31 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-10-29 20:31 . 2009-10-29 20:31 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-10-29 20:31 . 2009-10-29 20:31 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-10-29 20:31 . 2009-10-29 20:31 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-10-29 20:31 . 2009-10-29 20:31 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-10-29 20:30 . 2009-10-29 20:30 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-10-29 20:30 . 2009-10-29 20:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-10-29 20:30 . 2009-10-29 20:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-10-29 20:30 . 2009-10-29 20:30 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-10-29 20:30 . 2009-10-29 20:30 24064 ----a-w- c:\windows\system32\lpk.dll
2009-10-29 20:30 . 2009-10-29 20:30 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-10-29 20:30 . 2009-10-29 20:30 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-10-29 20:29 . 2009-10-29 20:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-29 20:28 . 2009-10-29 20:28 49664 ----a-w- c:\windows\system32\csrsrv.dll
2009-10-29 20:28 . 2009-10-29 20:28 376320 ----a-w- c:\windows\system32\winsrv.dll
2009-10-29 20:28 . 2009-10-29 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
2009-10-29 20:28 . 2009-10-29 20:28 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-10-29 20:28 . 2009-10-29 20:28 2855424 ----a-w- c:\windows\system32\mf.dll
2009-10-29 20:28 . 2009-10-29 20:28 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-10-29 20:28 . 2009-10-29 20:28 2048 ----a-w- c:\windows\system32\mferror.dll
2009-10-29 20:26 . 2009-10-29 20:26 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-10-29 20:25 . 2009-10-29 20:25 72704 ----a-w- c:\windows\system32\admparse.dll
2009-10-29 20:25 . 2009-10-29 20:25 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 20:25 . 2009-10-29 20:25 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-10-29 20:25 . 2009-10-29 20:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 20:25 . 2009-10-29 20:25 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-10-29 20:25 . 2009-10-29 20:25 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-29 20:25 . 2009-10-29 20:25 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-10-29 20:23 . 2009-10-29 20:23 71680 ----a-w- c:\windows\system32\atl.dll
2009-10-29 20:23 . 2009-10-29 20:23 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-10-29 20:21 . 2009-10-29 20:21 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-29 20:21 . 2009-10-29 20:21 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-29 20:20 . 2009-10-29 20:20 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-10-29 20:20 . 2009-10-29 20:20 374456 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-10-29 20:19 . 2009-10-29 20:19 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-10-29 20:19 . 2009-10-29 20:19 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-10-29 20:19 . 2009-10-29 20:19 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-10-29 20:18 . 2009-10-29 20:18 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-10-29 20:18 . 2009-10-29 20:18 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-10-29 20:18 . 2009-10-29 20:18 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-10-29 20:18 . 2009-10-29 20:18 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-10-29 20:17 . 2009-10-29 20:17 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-10-29 20:17 . 2009-10-29 20:17 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-10-29 20:17 . 2009-10-29 20:17 414208 ----a-w- c:\windows\system32\msscp.dll
2009-10-29 20:16 . 2009-10-29 20:16 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-10-29 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-03 1217808]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-03 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-26 137752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-10 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1610590215-151946896-3371143812-1000]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/01/2010 13:03 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/01/2010 13:03 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/01/2010 13:02 285392]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [23/04/2007 13:29 812544]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\62yai7ml.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 21:17
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84563841]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82955d1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x8075c9ae
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-11 21:24:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 21:23
ComboFix2.txt 2010-01-10 13:38

Pre-Run: 70,719,696,896 bytes free
Post-Run: 71,220,428,800 bytes free

- - End Of File - - 63E83360B03A3158EEF3E9D0EE6AA3AF


Report •

#14
January 11, 2010 at 19:00:33
I believe this file I'm asking you to check is a baddie also but lets check it before we delete it.

Please go to Virus Total and upload the following file for analysis:

c:\windows\system32\wupd.dat

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button t ohave it chaeked again.

Post the results in your reply.


Report •

#15
January 12, 2010 at 11:44:36
Bit Defender Log:

BitDefender Online Scanner



Scan report generated at: Tue, Jan 12, 2010 - 07:52:10





Scan path: C:\;D:\;F:\;G:\;







Statistics

Time
00:39:13

Files
150072

Folders
14977

Boot Sectors
0

Archives
1949

Packed Files
10951




Results

Identified Viruses
2

Infected Files
2

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
2




Engines Info

Virus Definitions
4853901

Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Nov 24 2009)

Scan plugins
17

Archive plugins
44

Unpack plugins
8

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Qoobox\Quarantine\C\Windows\MSA.EXE.vir
Infected with: Gen:Trojan.Heur.Renos.kqW@bCXIKOc

C:\Qoobox\Quarantine\C\Windows\MSA.EXE.vir
Disinfection failed

C:\Qoobox\Quarantine\C\Windows\MSA.EXE.vir
Deleted

C:\Qoobox\Quarantine\C\Windows\System32\sdra64.exe.vir
Infected with: Trojan.Generic.2920618

C:\Qoobox\Quarantine\C\Windows\System32\sdra64.exe.vir
Deleted











Report •

#16
January 12, 2010 at 11:49:09
c:\windows\system32\wupd.dat isn't there anymore - I've searched in that directory.

Still got the same problem with redirects I'm afraid.


Report •

#17
January 12, 2010 at 15:11:48
Navigate to and delete this file:

c:\windows\system32\ezsidmv.dat

If you did not find the file do the following and look again:

Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.

Let me know if the redirects stop.




Report •

#18
January 12, 2010 at 15:28:43
Just done that, but still redirecting I'm afraid. Thanks for the continued help! Am I ever going to be able to beat this?

Report •

#19
January 12, 2010 at 15:39:48
I am thinking that also, but it is probably the atapi.sys file. This scan may be log and take more than one post to get all the info to us.

Please download OTL from following site:

OTL by OldTimer

1. Save it to your desktop
2. Double click the OTL icon on your desktop
3. Close any open browsers.
4. Double-click on OTL.exe to start the program.
Leave all settings as they appear as default, except for the following:

Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Post the contents of that Notepad document in your next reply.


Report •

#20
January 13, 2010 at 12:10:22
OTL Extras txt:

OTL Extras logfile created on: 13/01/2010 10:23:12 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Users\James\Desktop
Windows Vista Ultimate Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16916)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102.48 Gb Total Space | 66.39 Gb Free Space | 64.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAMES-PC
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]


[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1610590215-151946896-3371143812-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


[color=#E56717]========== Vista Active Open Ports Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{470BBAC2-04AA-45E6-A346-728CB964138F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{5F88F3A0-9B91-4699-8310-85049CC29E3D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D0915BEF-D8D8-4087-AF14-AA7112EAC3EE}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

[color=#E56717]========== Vista Active Application Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01757C36-3B78-4AF1-A9A1-BEDA97D07BB5}" = protocol=6 | dir=in | app=c:\users\james\appdata\local\temp\crssc.exe |
"{0259E570-4CED-4E9E-85C1-64D1671C7047}" = protocol=17 | dir=in | app=c:\users\james\appdata\local\temp\crssc.exe |
"{0483B50B-E153-4C61-8D49-C5025CEF59C3}" = protocol=17 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{079B1BBC-AF8D-440D-A924-52E88B98AF10}" = protocol=6 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{16E0D017-8FF3-4FFD-B765-BE3D7FB1B8D4}" = protocol=6 | dir=in | app=c:\users\james\appdata\local\temp\instmodule.exe |
"{1A7117E1-231F-408E-BA69-A5635D0BAC2C}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{1AED1DB8-F14A-4B0E-87DA-FF97520F47CE}" = protocol=17 | dir=in | app=c:\users\james\appdata\local\temp\audiodgt.exe |
"{21EC835A-7EF7-486F-A484-1755D035E428}" = dir=in | app=c:\program files\avg\avg9\avgnsx.exe |
"{39CB3C4C-A0CA-4B62-A29D-2EC0CA8CB216}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{436820F2-F153-48E2-9ABE-4BF7AE1F8FEA}" = protocol=6 | dir=in | app=c:\users\james\appdata\local\temp\ntexplore.exe |
"{453DCED8-5C2E-4CD2-B267-5C160A576092}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{4AB5E93C-DC4A-4659-AF83-7389CD12A315}" = protocol=6 | dir=in | app=c:\users\james\appdata\local\temp\a2dspi.exe |
"{5D591DBC-5730-42CF-8E39-C4FBB53C77CD}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{63177467-393B-492C-BF83-804370ABB424}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{68ED258A-719F-4995-91FD-8E01E161B1C2}" = protocol=17 | dir=in | app=c:\users\james\appdata\local\temp\mvnetdhcp.exe |
"{6B34D077-7995-4CA5-9A12-5E2DD8BF7C59}" = protocol=6 | dir=in | app=c:\users\james\appdata\local\temp\mvnetdhcp.exe |
"{6BDCA594-9A11-4D0C-9A60-0D38D91D8253}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\football manager 2010\fm.exe |
"{70E950E0-ACC2-472B-BF1B-AB7E690618FA}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{777C0943-6FC6-46D5-BC2F-EBC18600A8B4}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{7B1DFC46-E9B3-4535-8C03-45BCE91A703F}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{81299F22-5946-46CA-B2ED-54D5F453E713}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{94A4CC48-B571-4529-B711-BE4BA6FC0448}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A6E03D97-2070-4FA7-AAA0-9EF56604DD47}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{B70096FF-4323-4C4A-B170-134B7BCEE4E0}" = protocol=17 | dir=in | app=c:\users\james\appdata\local\temp\a2dspi.exe |
"{B7D46154-0326-4908-B5D1-8DC6DEF7F9AA}" = protocol=17 | dir=in | app=c:\users\james\appdata\local\temp\instmodule.exe |
"{BCF32EB4-369D-49B7-907B-4718C169BB64}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{C3E953EA-5462-4A55-A3A7-03D43267C428}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\football manager 2010\fm.exe |
"{C840848D-C370-40DE-B23F-9FCE13362573}" = protocol=6 | dir=in | app=c:\users\james\appdata\local\temp\audiodgt.exe |
"{ECE80709-5A44-409C-8A3E-CFA6010CC2D1}" = protocol=17 | dir=in | app=c:\users\james\appdata\local\temp\ntexplore.exe |
"{F0230893-70E7-4D6C-B9FD-6B6A10DAE4DC}" = dir=in | app=c:\program files\avg\avg9\avgupd.exe |
"TCP Query User{5C00DE8B-1485-4102-93BD-55D5A976C5D8}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{FE1C8C9D-5042-416C-A5F5-91C1D8F672F3}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{582CD104-A5EB-42FC-82D4-98A5B2512C91}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{F1620C76-EE6E-4C17-8707-8294A077B708}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{865A8951-8D9A-46CB-84A2-3D67BA38B923}" = EASEUS Deleted File Recovery 2.1.1
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B6D0F294-B844-4FAF-9993-FAC10E9E0F94}" = AlacrityPC
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"BitTorrent" = BitTorrent
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"Recover My Files_is1" = Recover My Files
"Steam App 34000" = Football Manager 2010
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

[color=#E56717]========== HKEY_CURRENT_USER Uninstall List ==========[/color]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

[color=#E56717]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 10/01/2010 11:49:13 | Computer Name = James-PC | Source = System Restore | ID = 8210
Description =

Error - 10/01/2010 19:51:29 | Computer Name = James-PC | Source = Application Error | ID = 1000
Description = Faulting application mcupdate.EXE, version 6.0.6000.16386, time stamp
0x4549b55f, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x000111ff, process id 0x1010, application start time
0x01ca924fd19f1600.

Error - 10/01/2010 20:23:17 | Computer Name = James-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16916, time stamp
0x4a966cea, faulting module avgssie.dll, version 9.0.0.713, time stamp 0x4b0fc863,
exception code 0xc0000005, fault offset 0x0002c769, process id 0xbd8, application
start time 0x01ca9246061bcea0.

Error - 11/01/2010 01:28:15 | Computer Name = James-PC | Source = System Restore | ID = 8193
Description =

Error - 11/01/2010 01:28:15 | Computer Name = James-PC | Source = System Restore | ID = 8210
Description =

Error - 11/01/2010 20:37:56 | Computer Name = James-PC | Source = System Restore | ID = 8193
Description =

Error - 11/01/2010 20:37:56 | Computer Name = James-PC | Source = System Restore | ID = 8210
Description =

Error - 12/01/2010 20:27:21 | Computer Name = James-PC | Source = System Restore | ID = 8193
Description =

Error - 12/01/2010 20:27:21 | Computer Name = James-PC | Source = System Restore | ID = 8210
Description =

Error - 13/01/2010 05:24:21 | Computer Name = James-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16916, time stamp
0x4a966cea, faulting module mshtml.dll, version 7.0.6000.16939, time stamp 0x4adc7aa8,
exception code 0xc0000005, fault offset 0x000b7426, process id 0xf40, application
start time 0x01ca943197460fa4.

[ System Events ]
Error - 11/01/2010 16:44:16 | Computer Name = James-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 11/01/2010 16:44:16 | Computer Name = James-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 11/01/2010 16:44:18 | Computer Name = James-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 11/01/2010 16:44:20 | Computer Name = James-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 11/01/2010 16:44:20 | Computer Name = James-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 11/01/2010 16:54:26 | Computer Name = James-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 11/01/2010 17:28:42 | Computer Name = James-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/01/2010 17:29:26 | Computer Name = James-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 11/01/2010 19:31:38 | Computer Name = James-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 23:30:00 on 11/01/2010 was unexpected.

Error - 13/01/2010 05:19:16 | Computer Name = James-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 09:17:58 on 13/01/2010 was unexpected.


< End of report >


Report •

#21
January 13, 2010 at 12:11:06
Part 1 of OTL scan:

OTL logfile created on: 13/01/2010 10:23:12 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Users\James\Desktop
Windows Vista Ultimate Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16916)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102.48 Gb Total Space | 66.39 Gb Free Space | 64.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAMES-PC
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010/01/13 09:21:27 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
PRC - [2010/01/10 13:35:21 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/01/10 13:02:26 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/01/10 13:02:25 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/01/10 13:02:25 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/01/10 13:02:25 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/01/10 13:02:04 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/03 21:46:44 | 01,217,808 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2009/10/29 20:12:29 | 02,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/07/03 09:09:28 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2007/07/03 09:05:42 | 00,154,136 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2007/06/26 10:28:38 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2006/11/02 09:46:02 | 00,143,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2006/10/27 00:47:42 | 00,031,016 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2003/10/31 19:42:40 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010/01/13 09:21:27 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
MOD - [2006/11/02 09:38:57 | 01,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - [2010/01/10 13:02:04 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/11/01 15:53:26 | 00,320,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/11/02 12:34:14 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/11/02 12:32:25 | 00,263,272 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2010/01/10 13:03:17 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/01/10 13:03:07 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/01/10 13:03:04 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/10/29 15:37:45 | 00,027,520 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SonyNC.sys -- (SNC)
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2007/12/06 13:40:14 | 00,761,856 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/06/26 09:53:36 | 01,776,128 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2007/06/26 09:53:36 | 01,776,128 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (ialm)
DRV - [2007/04/23 13:29:00 | 00,812,544 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ti21sony.sys -- (ti21sony)
DRV - [2006/11/22 14:58:10 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/22 14:58:10 | 00,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/22 14:58:10 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 09:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 09:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 09:51:34 | 00,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 09:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 09:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 09:51:25 | 00,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 09:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 09:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 09:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 09:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 09:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 09:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 09:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 09:50:19 | 00,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 09:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 09:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 09:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 09:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 09:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 09:50:10 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 09:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 09:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 09:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 09:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 09:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 09:50:05 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 09:50:05 | 00,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 09:50:04 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 09:50:03 | 00,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 09:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 09:49:56 | 00,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 09:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 08:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 08:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 08:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 08:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 08:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 08:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 07:41:50 | 00,987,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (HSF_DPV)
DRV - [2006/11/02 07:41:49 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 07:41:48 | 00,654,336 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (winachsf)
DRV - [2006/11/02 07:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 07:30:56 | 00,194,048 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2006/11/02 07:30:54 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2006/11/02 06:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/01/10 13:02:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/09 10:35:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/09 10:35:11 | 00,000,000 | ---D | M]

[2009/10/29 21:06:18 | 00,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Mozilla\Extensions
[2010/01/12 23:55:34 | 00,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\62yai7ml.default\extensions
[2009/10/29 21:05:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/16 18:18:41 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/10/16 18:18:41 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/10/16 18:18:41 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/10/16 18:18:41 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/res... (BDSCANONLINE Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/get... (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img3.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img3.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*


Report •

#22
January 13, 2010 at 12:11:35
Part 2:

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2006/11/02 11:18:47 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/01/13 09:21:23 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
[2010/01/11 21:29:33 | 00,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010/01/11 21:24:10 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2010/01/11 21:22:38 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/01/11 20:53:27 | 00,000,000 | ---D | C] -- C:\Users\James\AppData\Local\temp
[2010/01/11 20:39:56 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/01/10 13:04:14 | 00,000,000 | ---D | C] -- C:\$AVG
[2010/01/10 13:03:18 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/01/10 13:03:17 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/01/10 13:03:07 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/01/10 13:03:03 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/01/10 13:02:35 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\Avg
[2010/01/09 14:03:00 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/01/09 14:03:00 | 00,000,000 | ---D | C] -- C:\rsit
[2010/01/09 13:41:45 | 00,016,904 | ---- | C] (Kaspersky Lab, Parshin Yury) -- C:\Windows\System32\drivers\KLMD.sys
[2010/01/09 13:40:36 | 00,137,480 | ---- | C] (Kaspersky Lab) -- C:\Users\James\Desktop\TDSSKiller.exe
[2010/01/09 13:18:06 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/01/09 13:18:03 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/01/09 13:18:02 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/03 18:11:07 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/01/02 17:19:46 | 00,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Malwarebytes
[2010/01/02 17:19:36 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/01/02 17:18:13 | 05,061,520 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\James\Desktop\mymalware.exe
[2010/01/02 11:03:35 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/01/02 11:03:35 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/01/02 11:03:35 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/01/02 11:03:35 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/01/02 11:03:19 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/01/02 10:52:19 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/02 10:32:32 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/01/02 10:32:31 | 00,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/01/01 22:21:28 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/01/01 22:21:28 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/01/01 21:39:20 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/01/01 21:38:37 | 00,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\SUPERAntiSpyware.com
[2010/01/01 21:38:37 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/01 21:37:30 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/12/22 15:08:31 | 00,000,000 | ---D | C] -- C:\Users\James\AppData\Local\Ken_Salter
[2009/12/22 15:08:03 | 00,000,000 | ---D | C] -- C:\Users\James\Documents\AlacrityPC Profiles
[2009/12/22 14:55:40 | 00,000,000 | ---D | C] -- C:\Intel
[2009/12/22 14:43:10 | 00,000,000 | ---D | C] -- C:\Program Files\Ken Salter

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010/01/13 10:23:17 | 02,097,152 | -HS- | M] () -- C:\Users\James\NTUSER.DAT
[2010/01/13 10:19:22 | 00,004,672 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/13 10:19:22 | 00,004,672 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/13 09:24:08 | 00,720,952 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/01/13 09:24:08 | 00,626,246 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/01/13 09:24:08 | 00,109,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/01/13 09:21:33 | 00,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010/01/13 09:21:27 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
[2010/01/13 09:19:23 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/13 09:19:14 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/13 09:19:10 | 10,634,44480 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/13 08:57:56 | 47,748,671 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/01/13 08:57:16 | 00,138,938 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/01/12 20:53:51 | 00,002,287 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010/01/12 07:52:10 | 00,018,029 | ---- | M] () -- C:\Users\James\Desktop\log2.html
[2010/01/11 21:25:53 | 01,406,382 | -H-- | M] () -- C:\Users\James\AppData\Local\IconCache.db
[2010/01/11 21:17:59 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/01/11 21:17:34 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/01/11 20:39:47 | 03,820,564 | R--- | M] () -- C:\Users\James\Desktop\Combo-Fix.exe
[2010/01/10 13:03:20 | 00,001,647 | ---- | M] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/01/10 13:03:18 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/01/10 13:03:17 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/01/10 13:03:07 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/01/10 13:03:04 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/01/10 13:03:03 | 00,113,461 | ---- | M] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/01/10 13:02:37 | 00,492,629 | ---- | M] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2010/01/10 13:02:36 | 06,061,540 | ---- | M] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2010/01/10 12:51:27 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\wupd.dat
[2010/01/09 13:55:11 | 00,019,048 | ---- | M] () -- C:\Windows\System32\drivers\atapi.tsk
[2010/01/09 13:55:11 | 00,016,904 | ---- | M] (Kaspersky Lab, Parshin Yury) -- C:\Windows\System32\drivers\KLMD.sys
[2010/01/09 13:18:09 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/01/03 18:11:07 | 15,747,7035 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/01/02 17:18:40 | 05,061,520 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\James\Desktop\mymalware.exe
[2010/01/01 21:38:38 | 00,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/01 20:30:20 | 00,001,029 | ---- | M] () -- C:\Users\James\Desktop\Recover My Files.lnk
[2010/01/01 19:23:12 | 00,012,033 | ---- | M] () -- C:\Users\James\Documents\Untitled.docx
[2009/12/23 13:43:35 | 00,002,597 | ---- | M] () -- C:\Users\Public\Desktop\AlacrityPC.lnk
[2009/12/20 02:41:24 | 00,137,480 | ---- | M] (Kaspersky Lab) -- C:\Users\James\Desktop\TDSSKiller.exe

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010/01/13 09:21:33 | 00,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/01/12 19:48:24 | 00,018,029 | ---- | C] () -- C:\Users\James\Desktop\log2.html
[2010/01/11 20:39:18 | 03,820,564 | R--- | C] () -- C:\Users\James\Desktop\Combo-Fix.exe
[2010/01/10 13:03:20 | 00,001,647 | ---- | C] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/01/10 13:03:03 | 00,113,461 | ---- | C] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/01/10 13:02:37 | 47,748,671 | ---- | C] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/01/10 13:02:37 | 00,138,938 | ---- | C] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/01/10 13:02:36 | 00,492,629 | ---- | C] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2010/01/10 13:02:35 | 06,061,540 | ---- | C] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2010/01/09 13:41:46 | 00,019,048 | ---- | C] () -- C:\Windows\System32\drivers\atapi.tsk
[2010/01/09 13:18:09 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 04:05:18 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\wupd.dat
[2010/01/03 18:10:16 | 15,747,7035 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/01/02 11:03:35 | 00,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/01/02 11:03:35 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/01/02 11:03:35 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/01/02 11:03:35 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/01/02 11:03:35 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/01/01 21:38:38 | 00,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/01 20:30:20 | 00,001,029 | ---- | C] () -- C:\Users\James\Desktop\Recover My Files.lnk
[2009/12/22 14:43:11 | 00,002,597 | ---- | C] () -- C:\Users\Public\Desktop\AlacrityPC.lnk
[2009/11/15 14:01:15 | 00,003,584 | ---- | C] () -- C:\Users\James\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/05 15:44:10 | 00,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2007/06/26 10:20:42 | 00,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1295.dll
[2006/11/02 12:34:23 | 00,080,010 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2006/11/02 12:34:20 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 10:25:21 | 00,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< %SYSTEMDRIVE%\*.exe >[/color]


[color=#A23BEC]< MD5 for: AGP440.SYS >[/color]
[2006/11/02 09:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
[2006/11/02 09:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 09:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

[color=#A23BEC]< MD5 for: ATAPI.SYS >[/color]
[2006/11/02 09:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2006/11/22 14:58:10 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=5653737BAD8C6C10136451C195C19881 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys
[2006/11/22 14:58:10 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\ERDNT\cache\atapi.sys
[2006/11/22 14:58:10 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\System32\drivers\atapi.sys
[2006/11/22 14:58:10 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[2006/11/22 14:58:10 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys
[2008/01/19 05:06:48 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\SoftwareDistribution\Download\c0a17eb89d8e2d806cdee4a2d05890b4\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/01/19 04:33:23 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\SoftwareDistribution\Download\c0a17eb89d8e2d806cdee4a2d05890b4\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

[color=#A23BEC]< MD5 for: CNGAUDIT.DLL >[/color]
[2006/11/02 09:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 09:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 09:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

[color=#A23BEC]< MD5 for: IASTORV.SYS >[/color]
[2006/11/02 09:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 09:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

[color=#A23BEC]< MD5 for: NETLOGON.DLL >[/color]
[2006/11/02 09:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\ERDNT\cache\netlogon.dll
[2006/11/02 09:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\System32\netlogon.dll
[2006/11/02 09:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll

[color=#A23BEC]< MD5 for: NVSTOR.SYS >[/color]
[2006/11/02 09:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 09:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys

[color=#A23BEC]< MD5 for: SCECLI.DLL >[/color]
[2006/11/02 09:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\ERDNT\cache\scecli.dll
[2006/11/02 09:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\System32\scecli.dll
[2006/11/02 09:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

[color=#A23BEC]< %systemroot%\*. /mp /s >[/color]

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:63238B95
< End of report >


Report •

#23
January 13, 2010 at 12:12:18
I'm still getting redirects and the directrdr pop up...

Report •

#24
January 17, 2010 at 05:24:45
Thanks for all your help so far. Still getting redirects and pop ups. Any more ideas?

Report •


Ask Question