search engine redirect

Dell Latitude d600
December 23, 2009 at 14:44:11
Specs: Microsoft Windows XP Professional, 599 MHz / 511 MB
when i use google in particular i get redirected to advertisments. any and all help will be greatly apprecated.

See More: search engine redirect

Report •


#1
December 23, 2009 at 19:41:32
Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Download Gmer.exe from the following link.

Gmer.exe

Next reboot into safe mode using only the F8 method:

1.Restart your computer.
2.When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.Select the option for Safe Mode using the arrow keys.
4.Then press enter on your keyboard to boot into Safe Mode.

Now run GMER from safe mode.

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 24, 2009 at 02:50:09
info.txt logfile of random's system information tool 1.06 2009-12-24 10:47:31

======Uninstall list======

-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Age of Mythology - The Titans Expansion-->"C:\Program Files\Microsoft Games\Age of Mythology\UNINSTXP.EXE" /runtemp /addremove
Age of Mythology-->"C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Blender (remove only)-->"C:\Program Files\Blender Foundation\Blender\uninstall.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom Gigabit Integrated Controller-->MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
Character Builder-->MsiExec.exe /I{626C034B-50B8-47BD-AF93-EEFD0FA78FF4}
C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Conexant D480 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Emperor: Rise of the Middle Kingdom 1.0.1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{821DABD6-26F2-49E5-AE55-40A589ADBE6D}\Setup.exe" -l0x9
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ESC79_D78 User's Guide-->C:\Program Files\EPSON\TPMANUAL\ESC79_D78\ENG\USE_G\DOCUNINS.EXE
GameDrive-->"C:\Program Files\FarStone\GameDrive\Setup.exe"
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0E996B068B56FCA2.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
Java(TM) 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser (KB927977)-->MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
O2Micro Smartcard Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C5BED10B-42A9-4142-B4C2-008C0FDE27D5} /l1033
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Prism Video Converter-->C:\Program Files\NCH Software\Prism\uninst.exe
Python 2.6.4-->MsiExec.exe /I{E7394A0F-3F80-45B1-87FC-ABCD51893246}
QuickSet-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Safari-->MsiExec.exe /I{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 8 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP8$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VLC media player 1.0.1-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


Report •

#3
December 24, 2009 at 02:50:56
======System event log======

Computer Name: LAPTOP
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 10914
Source Name: Win32k
Time Written: 20091201164045.000000+000
Event Type: warning
User:

Computer Name: LAPTOP
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 10899
Source Name: b57w2k
Time Written: 20091201162053.000000+000
Event Type: warning
User:

Computer Name: LAPTOP
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 10859
Source Name: b57w2k
Time Written: 20091130204246.000000+000
Event Type: warning
User:

Computer Name: LAPTOP
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 10854
Source Name: Win32k
Time Written: 20091130192901.000000+000
Event Type: warning
User:

Computer Name: LAPTOP
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 10832
Source Name: b57w2k
Time Written: 20091130191632.000000+000
Event Type: warning
User:

=====Application event log=====

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x71ab6a55.

Record Number: 1441
Source Name: Application Error
Time Written: 20091114184302.000000+000
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x71ab6a55.

Record Number: 1436
Source Name: Application Error
Time Written: 20091114184221.000000+000
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1001
Message: Fault bucket 742257550.

Record Number: 1430
Source Name: Application Error
Time Written: 20091114153704.000000+000
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x71ab6a55.

Record Number: 1429
Source Name: Application Error
Time Written: 20091114153701.000000+000
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x71ab6a55.

Record Number: 1426
Source Name: Application Error
Time Written: 20091114153645.000000+000
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM;C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL;C:\PROGRA~1\FARSTONE\GAMEDR~1\;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32;C:\PROGRA~1\FARSTONE\GAMEDR~1\GDP;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0d06
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------


Report •

Related Solutions

#4
December 24, 2009 at 02:52:08
Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2009-12-24 10:46:31
Microsoft Windows XP Professional Service Pack 3
System drive C: has 2 GB (8%) free of 29 GB
Total RAM: 511 MB (24% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:16, on 24/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\trend micro\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Windows DNS Manager] win32dns.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GameDrive] "C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_S83.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/crash-car-combat/en/"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://as.photoprintit.de/ips-opdata/layout/default_cms01/activex/IPSUploader4.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8094 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job


Report •

#5
December 24, 2009 at 02:53:02
======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-03 263280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-11-21 764912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-11-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-11-17 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-03 263280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2006-11-01 1392640]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe []
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-12-08 32768]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2006-06-29 1032192]
"Google Quick Search Box"=C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe [2009-09-03 122368]
"Windows DNS Manager"=win32dns.exe []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-11-17 149280]
""= []
"GameDrive"=C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe [2006-07-22 167936]
"EPSON Stylus D78 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE [2006-02-23 131072]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-10 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-09-03 39408]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe /background []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"=C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe [2009-07-31 468408]

C:\Documents and Settings\user\Start Menu\Programs\Startup
OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\SYSTEM32\Ati2evxx.dll [2005-11-10 47616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\SYSTEM32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
shell\AutoRun\command - L:\Setup.exe
shell\setup\command - L:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02911090-d9ff-11de-bd93-000cf15da2de}]
shell\AutoRun\command - L:\Setup.exe
shell\setup\command - L:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6898ea90-b036-11de-bcdb-000cf15da2de}]
shell\AutoRun\command - F:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\wmmplayer.exe
shell\open\command - F:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\wmmplayer.exe


======List of files/folders created in the last 1 months======

2009-12-24 10:46:38 ----D---- C:\Program Files\trend micro
2009-12-24 10:46:31 ----D---- C:\rsit
2009-12-21 15:36:23 ----D---- C:\Documents and Settings\All Users\Application Data\NCH Software
2009-12-21 15:36:02 ----D---- C:\Program Files\NCH Software
2009-12-09 22:51:45 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-09 22:51:35 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-09 22:51:23 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-09 22:50:21 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-09 22:50:09 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-09 22:49:03 ----A---- C:\WINDOWS\system32\MRT.INI
2009-12-06 21:56:43 ----D---- C:\Program Files\iPod
2009-12-06 21:56:16 ----D---- C:\Program Files\iTunes
2009-12-06 21:56:16 ----D---- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-06 21:53:18 ----D---- C:\Program Files\QuickTime
2009-12-06 21:52:31 ----SHD---- C:\Config.Msi
2009-12-06 21:25:52 ----D---- C:\Program Files\Safari
2009-12-01 21:36:11 ----A---- C:\WINDOWS\system32\PICSDK2.dll
2009-12-01 21:36:11 ----A---- C:\WINDOWS\system32\PICSDK.ini
2009-12-01 21:36:11 ----A---- C:\WINDOWS\system32\PICSDK.dll
2009-12-01 21:36:10 ----A---- C:\WINDOWS\system32\PICEntry.dll
2009-12-01 21:36:10 ----A---- C:\WINDOWS\system32\EpPicPrt.dll
2009-12-01 21:36:10 ----A---- C:\WINDOWS\system32\EPPicMgr.dll
2009-12-01 21:35:16 ----A---- C:\WINDOWS\system32\E_FLBBGE.DLL
2009-12-01 21:35:16 ----A---- C:\WINDOWS\system32\E_FD4BBGE.DLL
2009-12-01 21:35:16 ----A---- C:\WINDOWS\system32\E_DCINST.DLL
2009-12-01 21:32:24 ----D---- C:\Program Files\EPSON
2009-12-01 21:32:21 ----A---- C:\WINDOWS\EPSTPLOG.TXT
2009-12-01 21:32:21 ----A---- C:\WINDOWS\EPSMTL32.TXT
2009-12-01 21:32:18 ----A---- C:\WINDOWS\CDE D78DEFGIPS.ini
2009-12-01 21:29:01 ----A---- C:\WINDOWS\epsswt_log.txt
2009-11-30 21:54:11 ----D---- C:\WINDOWS\Sun
2009-11-26 20:33:22 ----D---- C:\Program Files\MSXML 4.0
2009-11-25 22:26:33 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-25 22:26:19 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-11-25 20:20:14 ----D---- C:\Program Files\Microsoft Games
2009-11-25 20:16:58 ----D---- C:\Documents and Settings\user\Application Data\FarStone
2009-11-25 20:13:15 ----A---- C:\WINDOWS\GPlay08.exe
2009-11-25 20:12:41 ----D---- C:\Program Files\FarStone
2009-11-25 20:10:54 ----N---- C:\WINDOWS\system32\RemFarStone.exe
2009-11-25 20:10:54 ----A---- C:\WINDOWS\system32\Dversion.dll
2009-11-25 20:10:53 ----A---- C:\WINDOWS\system32\DVC.dll

======List of files/folders modified in the last 1 months======

2009-12-24 10:46:38 ----RD---- C:\Program Files
2009-12-24 10:44:13 ----D---- C:\WINDOWS\Temp
2009-12-24 10:42:41 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-24 10:42:11 ----D---- C:\WINDOWS
2009-12-24 00:08:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-23 22:43:42 ----D---- C:\Program Files\xerox
2009-12-23 22:43:36 ----A---- C:\WINDOWS\NeroDigital.ini
2009-12-23 22:05:23 ----D---- C:\WINDOWS\system32\drivers
2009-12-23 20:24:39 ----D---- C:\WINDOWS\Prefetch
2009-12-23 20:24:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-23 19:42:25 ----RSHD---- C:\RESTORE
2009-12-23 00:04:53 ----D---- C:\Documents and Settings\user\Application Data\Apple Computer
2009-12-22 12:49:14 ----D---- C:\Documents and Settings\user\Application Data\MSN6
2009-12-21 23:16:00 ----D---- C:\Documents and Settings\user\Application Data\BitTorrent
2009-12-21 15:29:46 ----D---- C:\Documents and Settings\user\Application Data\vlc
2009-12-18 11:47:55 ----AD---- C:\WINDOWS\system32
2009-12-17 19:15:45 ----D---- C:\Documents and Settings
2009-12-13 21:06:35 ----HD---- C:\WINDOWS\inf
2009-12-10 19:25:08 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-09 22:51:49 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-09 22:51:40 ----A---- C:\WINDOWS\imsins.BAK
2009-12-09 22:51:22 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-09 22:51:04 ----D---- C:\WINDOWS\system32\en-US
2009-12-09 22:51:04 ----D---- C:\Program Files\Internet Explorer
2009-12-06 21:59:36 ----SHD---- C:\WINDOWS\Installer
2009-12-06 21:58:07 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-12-06 21:56:42 ----D---- C:\Program Files\Common Files\Apple
2009-12-06 21:25:33 ----D---- C:\WINDOWS\WinSxS
2009-12-01 20:06:19 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-25 20:21:36 ----RSD---- C:\WINDOWS\Fonts


Report •

#6
December 24, 2009 at 02:53:34
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2005-11-10 1406464]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2006-05-10 156160]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 fgdxbus;fgdxbus; C:\WINDOWS\system32\DRIVERS\fgdxbus.sys [2006-07-12 11520]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.SYS [2005-05-03 1033728]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2005-05-03 208384]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader; C:\WINDOWS\System32\DRIVERS\ozscr.sys [2005-04-21 92550]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\stac97.sys [2004-11-15 264440]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w70n51.sys [2006-08-02 674560]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2005-05-03 705408]
S3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2006-10-12 604928]
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 n558;N558 Bluetooth USB Filter Driver; C:\WINDOWS\System32\Drivers\n558.sys [2007-08-15 9600]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2005-11-10 389120]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-11-17 153376]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [2006-06-29 376832]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-11-01 20480]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-03 182768]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Report •

#7
December 24, 2009 at 04:23:05
Please post the results of the GMER scan requested in response #1. Be sure that you run the scan from safe mode.

Report •

#8
December 24, 2009 at 06:22:19
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-24 14:21:47
Windows 5.1.2600 Service Pack 3
Running: 5puxehqr.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\uxtdapow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82116178
Device \Driver\atapi \Device\Ide\IdePort0 82116178
Device \Driver\atapi \Device\Ide\IdePort1 82116178
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 82116178

---- Threads - GMER 1.0.15 ----

Thread System [4:200] 8215DEAB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c63afda4
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c63afda4 (not active ControlSet)

---- EOF - GMER 1.0.15 ----


Report •

#9
December 24, 2009 at 08:47:26
Download TDSSKiller to your Desktop from the following link.

TDSSKiller


1. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
2. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


3. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
4. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#10
December 24, 2009 at 09:09:52
17:12:29:418 3912 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
17:12:29:418 3912 ================================================================================
17:12:29:418 3912 SystemInfo:

17:12:29:418 3912 OS Version: 5.1.2600 ServicePack: 3.0
17:12:29:418 3912 Product type: Workstation
17:12:29:418 3912 ComputerName: LAPTOP
17:12:29:418 3912 UserName: user
17:12:29:418 3912 Windows directory: C:\WINDOWS
17:12:29:418 3912 Processor architecture: Intel x86
17:12:29:418 3912 Number of processors: 1
17:12:29:418 3912 Page size: 0x1000
17:12:29:418 3912 Boot type: Normal boot
17:12:29:418 3912 ================================================================================
17:12:29:428 3912 ForceUnloadDriver: NtUnloadDriver error 2
17:12:29:428 3912 ForceUnloadDriver: NtUnloadDriver error 2
17:12:29:428 3912 ForceUnloadDriver: NtUnloadDriver error 2
17:12:29:438 3912 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
17:12:29:438 3912 main: Driver KLMD successfully dropped
17:12:29:478 3912 main: Driver KLMD successfully loaded
17:12:29:478 3912
Scanning Registry ...
17:12:29:478 3912 ScanServices: Searching service UACd.sys
17:12:29:478 3912 ScanServices: Open/Create key error 2
17:12:29:478 3912 ScanServices: Searching service TDSSserv.sys
17:12:29:478 3912 ScanServices: Open/Create key error 2
17:12:29:478 3912 ScanServices: Searching service gaopdxserv.sys
17:12:29:478 3912 ScanServices: Open/Create key error 2
17:12:29:478 3912 ScanServices: Searching service gxvxcserv.sys
17:12:29:478 3912 ScanServices: Open/Create key error 2
17:12:29:478 3912 ScanServices: Searching service MSIVXserv.sys
17:12:29:478 3912 ScanServices: Open/Create key error 2
17:12:29:488 3912 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
17:12:29:488 3912 UnhookRegistry: Kernel local addr: A40000
17:12:29:488 3912 UnhookRegistry: KeServiceDescriptorTable addr: AC3220
17:12:29:488 3912 UnhookRegistry: KiServiceTable addr: A4B6A8
17:12:29:488 3912 UnhookRegistry: NtEnumerateKey service number (local): 47
17:12:29:488 3912 UnhookRegistry: NtEnumerateKey local addr: ADC5A4
17:12:29:498 3912 KLMD_OpenDevice: Trying to open KLMD device
17:12:29:498 3912 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
17:12:29:498 3912 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
17:12:29:498 3912 KLMD_ReadMem: Trying to ReadMemory 0x804DCC49[0x4]
17:12:29:498 3912 UnhookRegistry: NtEnumerateKey service number (kernel): 47
17:12:29:498 3912 KLMD_ReadMem: Trying to ReadMemory 0x804E27C4[0x4]
17:12:29:498 3912 UnhookRegistry: NtEnumerateKey real addr: 805735A4
17:12:29:498 3912 UnhookRegistry: NtEnumerateKey calc addr: 805735A4
17:12:29:498 3912 UnhookRegistry: No SDT hooks found on NtEnumerateKey
17:12:29:498 3912 KLMD_ReadMem: Trying to ReadMemory 0x805735A4[0xA]
17:12:29:498 3912 UnhookRegistry: No splicing found on NtEnumerateKey
17:12:29:498 3912
Scanning Kernel memory ...
17:12:29:498 3912 KLMD_OpenDevice: Trying to open KLMD device
17:12:29:498 3912 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
17:12:29:498 3912 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:12:29:498 3912 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 823CBEE8
17:12:29:498 3912 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
17:12:29:498 3912 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8189F778
17:12:29:498 3912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8189F778
17:12:29:498 3912 KLMD_ReadMem: Trying to ReadMemory 0x8189F778[0x38]
17:12:29:498 3912 DetectCureTDL3: DRIVER_OBJECT addr: 823CBEE8
17:12:29:498 3912 KLMD_ReadMem: Trying to ReadMemory 0x823CBEE8[0xA8]
17:12:29:498 3912 KLMD_ReadMem: Trying to ReadMemory 0xE100EA78[0x208]
17:12:29:498 3912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:12:29:498 3912 DetectCureTDL3: IrpHandler (0) addr: F857CBB0
17:12:29:498 3912 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
17:12:29:498 3912 DetectCureTDL3: IrpHandler (2) addr: F857CBB0
17:12:29:498 3912 DetectCureTDL3: IrpHandler (3) addr: 82356CB0
17:12:29:498 3912 DetectCureTDL3: IrpHandler (4) addr: F8576D1F
17:12:29:498 3912 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (9) addr: F85772E2
17:12:29:508 3912 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (14) addr: F85773BB
17:12:29:508 3912 DetectCureTDL3: IrpHandler (15) addr: F857AF28
17:12:29:508 3912 DetectCureTDL3: IrpHandler (16) addr: F85772E2
17:12:29:508 3912 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (22) addr: F8578C82
17:12:29:508 3912 DetectCureTDL3: IrpHandler (23) addr: F857D99E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
17:12:29:508 3912 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
17:12:29:508 3912 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
17:12:29:508 3912 KLMD_ReadMem: DeviceIoControl error 1
17:12:29:508 3912 TDL3_StartIoHookDetect: Unable to get StartIo handler code
17:12:29:508 3912 TDL3_FileDetect: Processing driver: Disk
17:12:29:508 3912 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
17:12:29:508 3912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
17:12:29:508 3912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
17:12:29:538 3912 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 820E0AB8
17:12:29:538 3912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 820E0AB8
17:12:29:538 3912 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 822A9EA0
17:12:29:538 3912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 822A9EA0
17:12:29:538 3912 KLMD_ReadMem: Trying to ReadMemory 0x822A9EA0[0x38]
17:12:29:538 3912 DetectCureTDL3: DRIVER_OBJECT addr: 822B5B10
17:12:29:538 3912 KLMD_ReadMem: Trying to ReadMemory 0x822B5B10[0xA8]
17:12:29:538 3912 KLMD_ReadMem: Trying to ReadMemory 0xE14DE1E0[0x208]
17:12:29:538 3912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:12:29:538 3912 DetectCureTDL3: IrpHandler (0) addr: F88F3218
17:12:29:538 3912 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (2) addr: F88F3218
17:12:29:538 3912 DetectCureTDL3: IrpHandler (3) addr: F88F323C
17:12:29:538 3912 DetectCureTDL3: IrpHandler (4) addr: F88F323C
17:12:29:538 3912 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (14) addr: F88F3180
17:12:29:538 3912 DetectCureTDL3: IrpHandler (15) addr: F88EE9E6
17:12:29:538 3912 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (22) addr: F88F25F0
17:12:29:538 3912 DetectCureTDL3: IrpHandler (23) addr: F88F0A6E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
17:12:29:538 3912 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
17:12:29:538 3912 KLMD_ReadMem: Trying to ReadMemory 0xF88EFF26[0x400]
17:12:29:538 3912 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
17:12:29:538 3912 TDL3_FileDetect: Processing driver: USBSTOR
17:12:29:538 3912 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\usbstor.tsk, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\usbstor.tsk
17:12:29:538 3912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
17:12:29:538 3912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
17:12:29:568 3912 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 82347C68
17:12:29:568 3912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82347C68
17:12:29:568 3912 KLMD_ReadMem: Trying to ReadMemory 0x82347C68[0x38]
17:12:29:568 3912 DetectCureTDL3: DRIVER_OBJECT addr: 823CBEE8
17:12:29:568 3912 KLMD_ReadMem: Trying to ReadMemory 0x823CBEE8[0xA8]
17:12:29:568 3912 KLMD_ReadMem: Trying to ReadMemory 0xE100EA78[0x208]
17:12:29:568 3912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:12:29:568 3912 DetectCureTDL3: IrpHandler (0) addr: F857CBB0
17:12:29:568 3912 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (2) addr: F857CBB0
17:12:29:568 3912 DetectCureTDL3: IrpHandler (3) addr: 82356CB0
17:12:29:568 3912 DetectCureTDL3: IrpHandler (4) addr: F8576D1F
17:12:29:568 3912 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (9) addr: F85772E2
17:12:29:568 3912 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (14) addr: F85773BB
17:12:29:568 3912 DetectCureTDL3: IrpHandler (15) addr: F857AF28
17:12:29:568 3912 DetectCureTDL3: IrpHandler (16) addr: F85772E2
17:12:29:568 3912 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (22) addr: F8578C82
17:12:29:568 3912 DetectCureTDL3: IrpHandler (23) addr: F857D99E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
17:12:29:568 3912 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
17:12:29:568 3912 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
17:12:29:568 3912 KLMD_ReadMem: DeviceIoControl error 1
17:12:29:568 3912 TDL3_StartIoHookDetect: Unable to get StartIo handler code
17:12:29:568 3912 TDL3_FileDetect: Processing driver: Disk
17:12:29:568 3912 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
17:12:29:568 3912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
17:12:29:568 3912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
17:12:29:578 3912 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 823DDAB8
17:12:29:578 3912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 823DDAB8
17:12:29:578 3912 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 823E8D98
17:12:29:578 3912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 823E8D98
17:12:29:578 3912 KLMD_ReadMem: Trying to ReadMemory 0x823E8D98[0x38]
17:12:29:578 3912 DetectCureTDL3: DRIVER_OBJECT addr: 823D0840
17:12:29:578 3912 KLMD_ReadMem: Trying to ReadMemory 0x823D0840[0xA8]
17:12:29:578 3912 KLMD_ReadMem: Trying to ReadMemory 0xE100B3C0[0x208]
17:12:29:578 3912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:12:29:578 3912 DetectCureTDL3: IrpHandler (0) addr: F848B6F2
17:12:29:578 3912 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (2) addr: F848B6F2
17:12:29:578 3912 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (14) addr: F848B712
17:12:29:578 3912 DetectCureTDL3: IrpHandler (15) addr: F8487852
17:12:29:578 3912 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (22) addr: F848B73C
17:12:29:578 3912 DetectCureTDL3: IrpHandler (23) addr: F8492336
17:12:29:578 3912 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
17:12:29:578 3912 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
17:12:29:578 3912 KLMD_ReadMem: Trying to ReadMemory 0xF8488864[0x400]
17:12:29:578 3912 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
17:12:29:578 3912 TDL3_FileDetect: Processing driver: atapi
17:12:29:578 3912 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk
17:12:29:578 3912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
17:12:29:578 3912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
17:12:29:608 3912
Completed

Results:
17:12:29:608 3912 Infected objects in memory: 0
17:12:29:608 3912 Cured objects in memory: 0
17:12:29:608 3912 Infected objects on disk: 0
17:12:29:608 3912 Objects on disk cured on reboot: 0
17:12:29:608 3912 Objects on disk deleted on reboot: 0
17:12:29:608 3912 Registry nodes deleted on reboot: 0
17:12:29:608 3912


Report •

#11
December 24, 2009 at 09:18:59

Remember..your antivirus must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#12
December 24, 2009 at 13:21:31
ComboFix 09-12-24.02 - user 24/12/2009 20:46:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.290 [GMT 0:00]
Running from: c:\documents and settings\user\Desktop\combofix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-17 19:15 . 2009-12-24 20:28 -------- d-----w- c:\documents and settings\HelpAssistant
2009-12-06 21:56 . 2009-12-06 21:56 -------- d-----w- c:\program files\iPod
2009-12-06 21:56 . 2009-12-06 21:58 -------- d-----w- c:\program files\iTunes
2009-12-06 21:56 . 2009-12-06 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-06 21:53 . 2009-12-06 21:54 -------- d-----w- c:\program files\QuickTime
2009-12-06 21:25 . 2009-12-06 21:26 -------- d-----w- c:\program files\Safari
2009-12-01 21:35 . 2006-03-03 01:04 73216 ----a-w- c:\windows\system32\E_FLBBGE.DLL
2009-12-01 21:35 . 2005-04-11 01:01 62976 ----a-w- c:\windows\system32\E_FD4BBGE.DLL
2009-12-01 21:35 . 2004-09-10 20:12 49152 ----a-w- c:\windows\system32\E_DCINST.DLL
2009-12-01 21:32 . 2009-12-01 21:35 -------- d-----w- c:\program files\EPSON
2009-12-01 21:27 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-01 21:27 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-30 21:54 . 2009-11-30 21:54 -------- d-----w- c:\windows\Sun
2009-11-26 20:33 . 2009-11-26 20:33 -------- d-----w- c:\program files\MSXML 4.0
2009-11-25 20:20 . 2009-11-25 20:20 -------- d-----w- c:\program files\Microsoft Games
2009-11-25 20:16 . 2009-11-25 20:16 -------- d-----w- c:\documents and settings\user\Application Data\FarStone
2009-11-25 20:14 . 2009-11-25 20:14 65536 ----a-w- c:\windows\system32\GDPersns.dat
2009-11-25 20:13 . 2006-07-12 06:17 69632 ----a-w- c:\windows\GPlay08.exe
2009-11-25 20:13 . 2006-07-12 06:17 14496 ----a-w- c:\windows\system32\GDI08X.dat
2009-11-25 20:13 . 2006-08-05 06:20 71680 ----a-w- c:\windows\system32\drivers\fgxscsi.sys
2009-11-25 20:13 . 2006-07-12 06:17 11520 ----a-w- c:\windows\system32\drivers\fgdxbus.sys
2009-11-25 20:12 . 2009-11-25 20:12 -------- d-----w- c:\program files\FarStone
2009-11-25 20:10 . 2009-11-25 20:10 90112 ----a-w- c:\windows\system32\Dversion.dll
2009-11-25 20:10 . 2006-07-12 06:17 53248 ------w- c:\windows\system32\RemFarStone.exe
2009-11-25 20:10 . 2009-11-25 20:10 126976 ----a-w- c:\windows\system32\DVC.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 15:45 . 2009-12-24 15:45 -------- d-----w- c:\program files\Lionhead Studios Ltd
2009-12-24 15:45 . 2007-02-07 15:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-24 10:47 . 2009-12-24 10:46 -------- d-----w- c:\program files\trend micro
2009-12-23 20:24 . 2009-11-14 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 00:04 . 2009-09-03 12:19 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2009-12-22 12:49 . 2009-09-03 10:52 -------- d-----w- c:\documents and settings\user\Application Data\MSN6
2009-12-21 23:16 . 2009-09-09 17:32 -------- d-----w- c:\documents and settings\user\Application Data\BitTorrent
2009-12-21 15:37 . 2009-12-21 15:36 -------- d-----w- c:\program files\NCH Software
2009-12-21 15:36 . 2009-12-21 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-12-21 15:29 . 2009-09-04 17:51 -------- d-----w- c:\documents and settings\user\Application Data\vlc
2009-12-06 21:56 . 2009-09-03 12:16 -------- d-----w- c:\program files\Common Files\Apple
2009-12-03 16:14 . 2009-11-14 19:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-11-14 19:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 20:46 . 2007-02-16 09:53 19032 -c--a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-17 17:50 . 2009-11-17 17:50 -------- d-----w- c:\documents and settings\user\Application Data\OpenOffice.org
2009-11-17 17:14 . 2009-11-17 17:14 -------- d-----w- c:\program files\JRE
2009-11-17 17:14 . 2009-11-17 17:13 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-17 17:11 . 2009-11-17 17:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-17 17:11 . 2009-11-17 17:11 -------- d-----w- c:\program files\Java
2009-11-14 20:05 . 2009-11-14 20:05 -------- d-----w- c:\documents and settings\user\Application Data\Blender Foundation
2009-11-14 20:04 . 2009-11-14 20:04 -------- d-----w- c:\program files\Blender Foundation
2009-11-14 19:20 . 2009-11-14 19:20 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-11-14 19:20 . 2009-11-14 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 16:57 . 2009-11-13 16:57 99840 ----a-w- C:\fdssd.exe
2009-11-02 21:31 . 2009-11-02 21:31 65800 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-02 19:36 . 2009-11-02 19:36 -------- d-----w- c:\program files\Wizards of the Coast
2009-10-29 07:46 . 2006-06-23 11:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-26 08:24 . 2009-10-26 08:24 2149888 ----a-w- c:\windows\system32\python26.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-03-31 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-03 122368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-17 149280]
"GameDrive"="c:\program files\FarStone\GameDrive\GDP\GDTask.exe" [2006-07-22 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\user\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"5927:TCP"= 5927:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3246:TCP"= 3246:TCP:Services
"5358:TCP"= 5358:TCP:Services

R0 FGXSCSI;FGXSCSI;c:\windows\system32\drivers\fgxscsi.sys [25/11/2009 20:13 71680]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [07/02/2007 15:29 92550]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02911090-d9ff-11de-bd93-000cf15da2de}]
\Shell\AutoRun\command - L:\Setup.exe
\Shell\setup\command - L:\setup.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-Windows DNS Manager - win32dns.exe
ActiveSetup-{CA79B84D-E9D7-217D-34A0-975505A75A32} - c:\windows\system32:svchost.exe
AddRemove-{D5BB0907-4BB2-46A3-AA68-0173D111058D} - c:\program files\FarStone\GameDrive\Setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 20:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x818AE918]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857af28
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> 0x818ae918
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/Wireless LAN 2100 3A Mini PCI Adapter -> SendCompleteHandler -> 0x8183e460
PacketIndicateHandler -> NDIS.sys @ 0xf8376a21
SendHandler -> NDIS.sys @ 0xf835487b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x037DFF7F
malicious code @ sector 0x037DFF82 !
PE file found in sector at 0x037DFF98 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2009-12-24 21:10:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 21:09

Pre-Run: 2,259,451,904 bytes free
Post-Run: 2,208,665,600 bytes free

- - End Of File - - 87C2B30D6498DA53AFB7F4C21879B172


Report •


Ask Question