Total Security XP / redirect troubles

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 20th April 2010, 9:10 pm

Okay, so I entered the code as directed. However, upon booting the computer in normal mode I was unable to run GMER. It kept giving an error message stating that the application failed. I rebooted in Safe Mode and was able to run GMER, but I had to go to class before the scan was finished. I will copy and paste the results later this evening. Thank you so very much for your patience!

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 20th April 2010, 9:58 pm

Okay, standing by.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 21st April 2010, 4:52 am

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-20 21:51:26
Windows 5.1.2600 Service Pack 3
Running: eppdei5w.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfddipog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT spig.sys ZwEnumerateKey [0xF74FCDA4]
SSDT spig.sys ZwEnumerateValueKey [0xF74FD132]
SSDT spig.sys ZwOpenKey [0xF74E40C0]
SSDT spig.sys ZwQueryKey [0xF74FD20A]
SSDT spig.sys ZwQueryValueKey [0xF74FD08A]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

INT 0x73 ? 8A1C2BF8
INT 0x73 ? 8A1C2BF8
INT 0x73 ? 8A1C2BF8
INT 0x73 ? 8A1C2BF8
INT 0x82 ? 8A5F0BF8
INT 0x83 ? 8A5F0BF8
INT 0xB1 ? 8A5F3BF8
INT 0xB1 ? 8A5F3BF8
INT 0xB1 ? 8A5F3BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 169 804E27D5 3 Bytes [CD, 4F, F7]
? spig.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BAD838AC 5 Bytes JMP 8A1C21D8
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 BACEC4D0 48 Bytes [F8, 03, 8E, DC, 51, 48, 14, ...]
? C:\WINDOWS\System32\Drivers\vaxscsi.sys The process cannot access the file because it is being used by another process.
.text atkvjdzv.SYS BACB2386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text atkvjdzv.SYS BACB23AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text atkvjdzv.SYS BACB23C4 3 Bytes [00, 80, 02]
.text atkvjdzv.SYS BACB23C9 1 Byte [30]
.text atkvjdzv.SYS BACB23C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 BAC694D0 48 Bytes [50, 47, DE, 95, 2F, 8F, 92, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A5F32D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750FDDC] spig.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F750FE30] spig.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74E5042] spig.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74E513E] spig.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74E50C0] spig.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74E5800] spig.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74E56D6] spig.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A1C22D8
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlInitUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!swprintf] 001CBA86
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeSetEvent] C61AEB00
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 001C8986
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 86C61200
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00001C8B
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmFreeMappingAddress] 96868801
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 8800001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 001CB286
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmUnmapIoSpace] 88968B00
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 8900001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IofCompleteRequest] 001CA496
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlCompareUnicodeString] C6168B00
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IofCallDriver] 001CC186
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 428A0A00
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] C286880C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoConnectInterrupt] 8B00001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoDetachDevice] 24A48DFA
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeInitializeEvent] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeCancelTimer] 8D3F0304
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] CB033043
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlInitAnsiString] 0673C13B
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] C13B0003
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoQueueWorkItem] 8366FA72
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmMapIoSpace] 75000E7B
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0B7D80E3
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoReportDetectedDevice] 307B8D00
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00AA840F
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 83660000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!NlsMbCodePageTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!PoRequestPowerIrp] C6647400
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CC386
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 4F8B0200
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!sprintf] 968D5140
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00001C98
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ObfDereferenceObject] 22F6E852
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 478B0000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 50016A40
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ZwClose] 1CB48E8D
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E8510000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 000022E4
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 6A18538B
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 868D5200
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoCreateDevice] 00001CA0
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 22D2E850
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 4B8B0000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 51016A18
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ZwOpenKey] 1CBC968D
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlFreeUnicodeString] E8520000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoStartTimer] 000022C0
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeInitializeTimer] 8A05478A
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoInitializeTimer] 001CC38E
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeInitializeDpc] 30C48300
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeInitializeSpinLock] 1CC58688
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoInitializeIrp] 80E90000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ZwCreateKey] C6000000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CC386
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 438B0100
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ZwSetValueKey] 8E8D5018
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeInsertQueueDpc] 00001C98
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 2292E851
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoStartPacket] 538B0000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 52016A18
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 1CB4868D
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoFreeMdl] E8500000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmUnlockPages] 00002280
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 001CC38E
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 1CC58688
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeSynchronizeExecution] 43EB0000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoStartNextPacket] 320C538A
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeBugCheckEx] 88F93BC0
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CC396
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeSetTimer] F6317300
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!_allmul] 74070647
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmProbeAndLockPages] 75C0841A
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!_except_handler3] 05578A0B
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!PoSetPowerState] 968801B0
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 00001CC5
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B60F66
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 533B6604
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!_aulldiv] 03087408
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!strstr] 72F93B3F
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!_strupr] 8A09EBDA
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeQuerySystemTime] 86880547
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 00001CC5
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!KeTickCount] 88084B8A
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 001CC68E
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoDeleteDevice] 40578B00
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 8D52006A
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoAllocateWorkItem] 001CC886
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoAllocateIrp] 11E85000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoAllocateMdl] 8B000022
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CC08E
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmLockPagableDataSection] C4968B00
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8900001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CCC8E
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!ExFreePoolWithTag] D0968900
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoFreeIrp] 8B00001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!IoFreeWorkItem] 016A4047
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!InitSafeBootMode] D4C68150
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!RtlCompareMemory] 5600001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!PoCallDriver] 0021E7E8
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!memmove] 18C48300
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[ntoskrnl.exe!MmHighestUserAddress] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\atkvjdzv.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74F4B90] spig.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5821F8

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Fastfat \FatCdrom 89F6F1F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\PCI_PNP5368 \Device\00000050 spig.sys
Device \Driver\PCI_PNP5368 \Device\00000050 spig.sys
Device \Driver\PCI_PNP5368 \Device\00000051 spig.sys
Device \Driver\PCI_PNP5368 \Device\00000051 spig.sys
Device \Driver\usbohci \Device\USBPDO-0 8A1BB1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5851F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5851F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5851F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5851F8
Device \Driver\usbohci \Device\USBPDO-1 8A1BB1F8
Device \Driver\usbehci \Device\USBPDO-2 8A1A41F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5F11F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5F11F8
Device \Driver\Cdrom \Device\CdRom0 8A196500
Device \Driver\atapi \Device\Ide\IdePort0 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8A196500
Device \Driver\USBSTOR \Device\00000073 89FCC500
Device \Driver\Cdrom \Device\CdRom2 8A196500
Device \Driver\NetBT \Device\NetBT_Tcpip_{F19BB2CA-F797-4AC4-9E81-05E3C35A3D45} 89FE11F8
Device \Driver\Cdrom \Device\CdRom3 8A196500
Device \Driver\Cdrom \Device\CdRom4 8A196500
Device \Driver\USBSTOR \Device\00000076 89FCC500
Device \Driver\USBSTOR \Device\00000077 89FCC500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89FE11F8
Device \Driver\USBSTOR \Device\00000078 89FCC500
Device \Driver\USBSTOR \Device\00000079 89FCC500
Device \Driver\NetBT \Device\NetbiosSmb 89FE11F8
Device \Driver\PCI_PNP5368 \Device\0000004f spig.sys
Device \Driver\PCI_PNP5368 \Device\0000004f spig.sys
Device \Driver\usbohci \Device\USBFDO-0 8A1BB1F8
Device \Driver\usbohci \Device\USBFDO-1 8A1BB1F8
Device \Driver\usbehci \Device\USBFDO-2 8A1A41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FD31F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FD31F8
Device \Driver\Ftdisk \Device\FtControl 8A5F11F8
Device \Driver\sptd \Device\2875255368 spig.sys
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 8A1931F8
Device \Driver\atkvjdzv \Device\Scsi\atkvjdzv1Port5Path0Target0Lun0 8A1921F8
Device \Driver\imagedrv \Device\Scsi\imagedrv1Port7Path0Target0Lun0 8A5841F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 8A17A1F8
Device \Driver\imagedrv \Device\Scsi\imagedrv1 8A5841F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 8A17A1F8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port6Path0Target0Lun0 8A1931F8
Device \Driver\atkvjdzv \Device\Scsi\atkvjdzv1 8A1921F8
Device \FileSystem\Fastfat \Fat 89F6F1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89E801F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1258007312
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 852776835
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x77 0xEE 0x89 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x24 0x11 0xD7 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x77 0xEE 0x89 0x9A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x24 0x11 0xD7 0xA0 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32@Assembly Microsoft.Vbe.Interop, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32@Class Microsoft.Vbe.Interop.CodePanesClass
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32\11.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32\11.0.0.0@Assembly Microsoft.Vbe.Interop, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32\11.0.0.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32\11.0.0.0@Class Microsoft.Vbe.Interop.CodePanesClass
Reg HKLM\SOFTWARE\Classes\CLSID\{CBF8AC7F-0C8E-0EB6-A1BE-EEFD8E58C10C}\InprocServer32@ infosoft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{CBF8AC7F-0C8E-0EB6-A1BE-EEFD8E58C10C}\InprocServer32@ThreadingModel Both

---- EOF - GMER 1.0.15 ----

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 21st April 2010, 4:00 pm

Hello.
Well done, you killed the rootkit. Hooray!

Now, please re-run Combofix one more time and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 21st April 2010, 7:13 pm

Hurray for killing the rootkit. Here is the Combofix log:

ComboFix 10-04-21.01 - Administrator 04/21/2010 11:18:39.4.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- C:\intelide.sys
2010-04-16 07:37 . 2010-04-16 08:08 -------- d-----w- C:\Combo-Fix25308C
2010-04-15 04:53 . 2010-04-15 04:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-04-14 06:20 . 2010-04-14 06:20 -------- d-----w- C:\_OTL
2010-04-11 19:47 . 2010-04-11 19:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 04:53 . 2005-11-11 21:15 142992 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 20:15 . 2009-06-18 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 20:11 . 2010-01-23 19:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-06-18 14:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-06-18 14:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 23:39 . 2010-01-27 22:12 -------- d-----w- c:\program files\Revealing Archaeology
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-05 18:25 . 2010-03-05 18:25 -------- d-----w- c:\program files\ESRI
2010-03-05 18:16 . 2010-03-05 18:10 -------- d-----w- c:\program files\ArcGIS
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-03-05 18:15 . 2010-03-05 18:15 -------- d-----w- c:\program files\Leica Geosystems
2010-03-05 18:14 . 2010-03-05 18:12 -------- d-----w- c:\program files\Common Files\ESRI
2010-03-05 18:11 . 2010-03-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ESRI
2010-02-20 21:34 . 2010-02-20 21:34 -------- d-----w- c:\program files\Olympus
2010-02-20 21:34 . 2005-11-11 21:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-27 22:18 . 2010-01-27 22:18 185596 ----a-w- c:\program files\uninstra.log
2010-01-24 19:07 . 2005-01-28 17:40 93883 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-23 20:17 . 2006-03-08 08:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 12:00 . 2008-04-14 12:00 5504 c:\windows\intelide.old.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-10-28 257440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-2-20 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk
backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-02 04:02 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 07:19 77312 ----a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
2009-04-24 22:22 1833984 ----a-w- c:\program files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1137892249\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-10 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 21:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2004-10-25 22:17 90112 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-15 07:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-06-06 21:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-10-24 22:53 307200 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"freenet-darknet-8888"=3 (0x3)
"avg8wd"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 cerc6;cerc6; [x]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2006-12-14 72672]
R3 ATIXPGAA;ATIXPGAA;c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [x]
R3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2006-03-10 223128]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-19 64160]

.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:02]

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\11vjrxn2.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-21 11:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(804)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-21 11:26:01
ComboFix-quarantined-files.txt 2010-04-21 18:25
ComboFix2.txt 2010-04-16 08:08

Pre-Run: 132,053,958,656 bytes free
Post-Run: 132,039,094,272 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - F582CB07FA3E751862117749B03390D6

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 21st April 2010, 9:33 pm

Hello.

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Driver::
    cerc6

    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "Shellnext"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 21st April 2010, 11:40 pm

After ComboFix ran, an EULA popped up with this message:

SYSINTERNALS SOFTWARE LICENSE TERMS
These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from Systinternals.com, which includes the media on which you received it, if any. The terms also apply to any Sysinternals
· updates,
· supplements,
· Internet-based services, and
· support services
for this software, unless other terms accompany those items. If so, those terms apply.
BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE.
If you comply with these license terms, you have the rights below.
1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.
2. Scope of License. The software is licensed, not sold. This agreement only gives you some rights to use the software. Sysinternals reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not
· work around any technical limitations in the binary versions of the software;
· reverse engineer, decompile or disassemble the binary versions of the software, except and only to the extent that applicable law expressly permits, despite this limitation;
· make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
· publish the software for others to copy;
· rent, lease or lend the software;
· transfer the software or this agreement to any third party; or
· use the software for commercial software hosting services.
3. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.
4. Export Restrictions. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see [You must be registered and logged in to see this link.] .
5. SUPPORT SERVICES. Because this software is "as is," we may not provide support services for it.
6. Entire Agreement. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.
7. Applicable Law.
a. United States. If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the software in any other country, the laws of that country apply.
8. Legal Effect. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
9. Disclaimer of Warranty. The software is licensed "as-is." You bear the risk of using it. SYSINTERNALS gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, SYSINTERNALS excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
10. Limitation on and Exclusion of Remedies and Damages. You can recover from SYSINTERNALS and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
· anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
· claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Sysinternals knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this software is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.
Remarque : Ce logiciel étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d'adéquation à un usage particulier et d'absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne :
· tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et
· les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d'une autre faute dans la limite autorisée par la loi en vigueur.
Elle s'applique également, même si Sysinternals connaissait ou devrait connaître l'éventualité d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci-dessus ne s'appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d'autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.


I was not at all sure what "Sysinternals" is, so I merely closed the window. Here is the Combofix log that was generated.

ComboFix 10-04-21.01 - Administrator 04/21/2010 16:07:08.5.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cerc6


((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- C:\intelide.sys
2010-04-16 07:37 . 2010-04-16 08:08 -------- d-----w- C:\Combo-Fix25308C
2010-04-14 06:20 . 2010-04-14 06:20 -------- d-----w- C:\_OTL
2010-04-11 10:40 . 2010-04-11 19:32 200704 --sha-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\2096834811.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 20:15 . 2009-06-18 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 20:11 . 2010-01-23 19:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-06-18 14:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-06-18 14:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 23:39 . 2010-01-27 22:12 -------- d-----w- c:\program files\Revealing Archaeology
2010-03-12 09:02 . 2006-01-16 20:17 142992 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-07 07:23 . 2010-03-05 18:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ESRI
2010-03-05 18:25 . 2010-03-05 18:25 -------- d-----w- c:\program files\ESRI
2010-03-05 18:16 . 2010-03-05 18:10 -------- d-----w- c:\program files\ArcGIS
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-03-05 18:15 . 2010-03-05 18:15 -------- d-----w- c:\program files\Leica Geosystems
2010-03-05 18:14 . 2010-03-05 18:12 -------- d-----w- c:\program files\Common Files\ESRI
2010-03-05 18:11 . 2010-03-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ESRI
2010-01-27 22:18 . 2010-01-27 22:18 185596 ----a-w- c:\program files\uninstra.log
2010-01-24 19:07 . 2005-01-28 17:40 93883 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-23 20:17 . 2006-03-08 08:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 12:00 . 2008-04-14 12:00 5504 c:\windows\intelide.old.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-2-20 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk
backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-02 04:02 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 07:19 77312 ----a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
2009-04-24 22:22 1833984 ----a-w- c:\program files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1137892249\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-10 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 21:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2004-10-25 22:17 90112 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-15 07:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-06-06 21:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-10-24 22:53 307200 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"freenet-darknet-8888"=3 (0x3)
"avg8wd"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 ATIXPGAA;ATIXPGAA;c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [x]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-19 64160]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2006-12-14 72672]
S3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2006-03-10 223128]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\directx\command - j:\directx9\dxsetup.exe
\Shell\setup\command - J:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:02]

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\nppl3260.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\nprjplug.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-LxrAutorun - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Lexar Media\LxrAutorun.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-21 16:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcv.sys >>UNKNOWN [0x8A5D7938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba674cb8
\Driver\atapi -> atapi.sys @ 0xba5eab40
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba47bbd4
PacketIndicateHandler -> NDIS.sys @ 0xba487a21
SendHandler -> NDIS.sys @ 0xba47bd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3556)
c:\windows\system32\WININET.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
.
**************************************************************************
.
Completion time: 2010-04-21 16:17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 23:17
ComboFix2.txt 2010-04-21 18:26
ComboFix3.txt 2010-04-16 08:08

Pre-Run: 132,043,059,200 bytes free
Post-Run: 129,763,225,600 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - 9E8F9943336001A6C90A73793A3E3F83

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 21st April 2010, 11:44 pm

Crud, I just realized that I posted the contents of log.txt, not C:\combofix.txt. This is the contents of Combofix.txt


ComboFix 10-04-21.01 - Administrator 04/21/2010 16:07:08.5.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cerc6


((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- C:\intelide.sys
2010-04-16 07:37 . 2010-04-16 08:08 -------- d-----w- C:\Combo-Fix25308C
2010-04-14 06:20 . 2010-04-14 06:20 -------- d-----w- C:\_OTL
2010-04-11 10:40 . 2010-04-11 19:32 200704 --sha-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\2096834811.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 20:15 . 2009-06-18 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 20:11 . 2010-01-23 19:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-06-18 14:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-06-18 14:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 23:39 . 2010-01-27 22:12 -------- d-----w- c:\program files\Revealing Archaeology
2010-03-12 09:02 . 2006-01-16 20:17 142992 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-07 07:23 . 2010-03-05 18:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ESRI
2010-03-05 18:25 . 2010-03-05 18:25 -------- d-----w- c:\program files\ESRI
2010-03-05 18:16 . 2010-03-05 18:10 -------- d-----w- c:\program files\ArcGIS
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-03-05 18:15 . 2010-03-05 18:15 -------- d-----w- c:\program files\Leica Geosystems
2010-03-05 18:14 . 2010-03-05 18:12 -------- d-----w- c:\program files\Common Files\ESRI
2010-03-05 18:11 . 2010-03-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ESRI
2010-01-27 22:18 . 2010-01-27 22:18 185596 ----a-w- c:\program files\uninstra.log
2010-01-24 19:07 . 2005-01-28 17:40 93883 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-23 20:17 . 2006-03-08 08:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 12:00 . 2008-04-14 12:00 5504 c:\windows\intelide.old.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-2-20 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk
backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-02 04:02 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 07:19 77312 ----a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
2009-04-24 22:22 1833984 ----a-w- c:\program files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1137892249\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-10 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 21:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2004-10-25 22:17 90112 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-15 07:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-06-06 21:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-10-24 22:53 307200 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"freenet-darknet-8888"=3 (0x3)
"avg8wd"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 ATIXPGAA;ATIXPGAA;c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [x]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-19 64160]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2006-12-14 72672]
S3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2006-03-10 223128]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\directx\command - j:\directx9\dxsetup.exe
\Shell\setup\command - J:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:02]

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\nppl3260.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\nprjplug.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-LxrAutorun - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Lexar Media\LxrAutorun.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-21 16:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcv.sys >>UNKNOWN [0x8A5D7938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba674cb8
\Driver\atapi -> atapi.sys @ 0xba5eab40
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba47bbd4
PacketIndicateHandler -> NDIS.sys @ 0xba487a21
SendHandler -> NDIS.sys @ 0xba47bd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3556)
c:\windows\system32\WININET.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
.
**************************************************************************
.
Completion time: 2010-04-21 16:17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 23:17
ComboFix2.txt 2010-04-21 18:26
ComboFix3.txt 2010-04-16 08:08

Pre-Run: 132,043,059,200 bytes free
Post-Run: 129,763,225,600 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - 9E8F9943336001A6C90A73793A3E3F83

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 22nd April 2010, 6:50 pm

Hello.
You didn't install Avira and the infection has snook back in.

Please install Avira before we continue.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 22nd April 2010, 11:10 pm

Argh, I apologize for my ineptitude. Apparently my scattered brain did not read the instructions in the proper order. Shame on me! Avira was installed last night and I re-ran Combofix as per your instructions. Here are the contents of Combofix.txt:


ComboFix 10-04-21.01 - Compaq_Administrator 04/22/2010 15:53:26.6.1 - x86
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\2096834811.dll
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ltejth
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ltejth\nbsesysguard.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-22 01:27 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-22 01:27 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-22 01:27 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-22 01:27 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-22 01:27 . 2010-04-22 01:27 -------- d-----w- c:\program files\Avira
2010-04-22 01:27 . 2010-04-22 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- C:\intelide.sys
2010-04-16 07:37 . 2010-04-16 08:08 -------- d-----w- C:\Combo-Fix25308C
2010-04-14 06:20 . 2010-04-14 06:20 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 20:15 . 2009-06-18 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 20:11 . 2010-01-23 19:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-06-18 14:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-06-18 14:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 23:39 . 2010-01-27 22:12 -------- d-----w- c:\program files\Revealing Archaeology
2010-03-12 09:02 . 2006-01-16 20:17 142992 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-07 07:23 . 2010-03-05 18:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ESRI
2010-03-05 18:25 . 2010-03-05 18:25 -------- d-----w- c:\program files\ESRI
2010-03-05 18:16 . 2010-03-05 18:10 -------- d-----w- c:\program files\ArcGIS
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-03-05 18:15 . 2010-03-05 18:15 -------- d-----w- c:\program files\Leica Geosystems
2010-03-05 18:14 . 2010-03-05 18:12 -------- d-----w- c:\program files\Common Files\ESRI
2010-03-05 18:11 . 2010-03-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ESRI
2010-01-27 22:18 . 2010-01-27 22:18 185596 ----a-w- c:\program files\uninstra.log
2010-01-24 19:07 . 2005-01-28 17:40 93883 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-23 20:17 . 2006-03-08 08:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-04-22 01:27 . 2009-05-11 17:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-04-14 12:00 . 2008-04-14 12:00 5504 c:\windows\intelide.old.sys
+ 2009-07-12 07:02 . 2009-07-12 07:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-04-21 23:44 . 2010-04-21 23:44 219648 c:\windows\Installer\1fe665.msi
+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-2-20 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk
backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-02 04:02 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 07:19 77312 ----a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
2009-04-24 22:22 1833984 ----a-w- c:\program files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1137892249\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-10 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 21:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2004-10-25 22:17 90112 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-15 07:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-06-06 21:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-10-24 22:53 307200 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"freenet-darknet-8888"=3 (0x3)
"avg8wd"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 ATIXPGAA;ATIXPGAA;c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [x]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-19 64160]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2006-12-14 72672]
S3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2006-03-10 223128]

.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:02]

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-22 16:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spgn.sys >>UNKNOWN [0x8A618938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba674cb8
\Driver\atapi -> atapi.sys @ 0xba5eab40
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba47bbd4
PacketIndicateHandler -> NDIS.sys @ 0xba487a21
SendHandler -> NDIS.sys @ 0xba47bd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2576)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\arservice.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
.
**************************************************************************
.
Completion time: 2010-04-22 16:07:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 23:07
ComboFix2.txt 2010-04-21 23:17
ComboFix3.txt 2010-04-21 18:26
ComboFix4.txt 2010-04-16 08:08

Pre-Run: 129,408,421,888 bytes free
Post-Run: 129,356,419,072 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - 876755E4BAA1C7E7DCF187109DB3A3C8

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 23rd April 2010, 12:29 am

Hello.


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 23rd April 2010, 12:44 am

Okay, done. Here are the contents:

17:41:55:625 3904 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:41:55:625 3904 ================================================================================
17:41:55:625 3904 SystemInfo:

17:41:55:625 3904 OS Version: 5.1.2600 ServicePack: 3.0
17:41:55:625 3904 Product type: Workstation
17:41:55:625 3904 ComputerName: HORIXON
17:41:55:625 3904 UserName: Compaq_Administrator
17:41:55:625 3904 Windows directory: C:\WINDOWS
17:41:55:625 3904 Processor architecture: Intel x86
17:41:55:625 3904 Number of processors: 1
17:41:55:625 3904 Page size: 0x1000
17:41:55:625 3904 Boot type: Normal boot
17:41:55:625 3904 ================================================================================
17:41:55:640 3904 UnloadDriverW: NtUnloadDriver error 2
17:41:55:640 3904 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:41:55:656 3904 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:41:55:656 3904 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:41:55:656 3904 wfopen_ex: Trying to KLMD file open
17:41:55:656 3904 wfopen_ex: File opened ok (Flags 2)
17:41:55:656 3904 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:41:55:656 3904 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:41:55:656 3904 wfopen_ex: Trying to KLMD file open
17:41:55:656 3904 wfopen_ex: File opened ok (Flags 2)
17:41:55:656 3904 Initialize success
17:41:55:656 3904
17:41:55:656 3904 Scanning Services ...
17:41:55:968 3904 Raw services enum returned 370 services
17:41:55:984 3904
17:41:55:984 3904 Scanning Kernel memory ...
17:41:55:984 3904 Devices to scan: 11
17:41:55:984 3904
17:41:55:984 3904 Driver Name: Disk
17:41:55:984 3904 IRP_MJ_CREATE : BA90EBB0
17:41:55:984 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:55:984 3904 IRP_MJ_CLOSE : BA90EBB0
17:41:55:984 3904 IRP_MJ_READ : BA908D1F
17:41:55:984 3904 IRP_MJ_WRITE : BA908D1F
17:41:55:984 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:55:984 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:55:984 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:55:984 3904 IRP_MJ_SET_EA : 804F355A
17:41:55:984 3904 IRP_MJ_FLUSH_BUFFERS : BA9092E2
17:41:55:984 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:55:984 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:55:984 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:55:984 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:55:984 3904 IRP_MJ_DEVICE_CONTROL : BA9093BB
17:41:55:984 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
17:41:55:984 3904 IRP_MJ_SHUTDOWN : BA9092E2
17:41:55:984 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:55:984 3904 IRP_MJ_CLEANUP : 804F355A
17:41:55:984 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:55:984 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:55:984 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:55:984 3904 IRP_MJ_POWER : BA90AC82
17:41:55:984 3904 IRP_MJ_SYSTEM_CONTROL : BA90F99E
17:41:55:984 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:55:984 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:55:984 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:046 3904 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:41:56:046 3904
17:41:56:046 3904 Driver Name: Disk
17:41:56:046 3904 IRP_MJ_CREATE : BA90EBB0
17:41:56:046 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:046 3904 IRP_MJ_CLOSE : BA90EBB0
17:41:56:046 3904 IRP_MJ_READ : BA908D1F
17:41:56:046 3904 IRP_MJ_WRITE : BA908D1F
17:41:56:046 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:046 3904 IRP_MJ_FLUSH_BUFFERS : BA9092E2
17:41:56:046 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_DEVICE_CONTROL : BA9093BB
17:41:56:046 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
17:41:56:046 3904 IRP_MJ_SHUTDOWN : BA9092E2
17:41:56:046 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:046 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_POWER : BA90AC82
17:41:56:046 3904 IRP_MJ_SYSTEM_CONTROL : BA90F99E
17:41:56:046 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:046 3904 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:41:56:046 3904
17:41:56:046 3904 Driver Name: Disk
17:41:56:046 3904 IRP_MJ_CREATE : BA90EBB0
17:41:56:046 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:046 3904 IRP_MJ_CLOSE : BA90EBB0
17:41:56:046 3904 IRP_MJ_READ : BA908D1F
17:41:56:046 3904 IRP_MJ_WRITE : BA908D1F
17:41:56:046 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:046 3904 IRP_MJ_FLUSH_BUFFERS : BA9092E2
17:41:56:046 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_DEVICE_CONTROL : BA9093BB
17:41:56:046 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
17:41:56:046 3904 IRP_MJ_SHUTDOWN : BA9092E2
17:41:56:046 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:046 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_POWER : BA90AC82
17:41:56:046 3904 IRP_MJ_SYSTEM_CONTROL : BA90F99E
17:41:56:046 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:046 3904 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:41:56:046 3904
17:41:56:046 3904 Driver Name: Disk
17:41:56:046 3904 IRP_MJ_CREATE : BA90EBB0
17:41:56:046 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:046 3904 IRP_MJ_CLOSE : BA90EBB0
17:41:56:046 3904 IRP_MJ_READ : BA908D1F
17:41:56:046 3904 IRP_MJ_WRITE : BA908D1F
17:41:56:046 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:046 3904 IRP_MJ_FLUSH_BUFFERS : BA9092E2
17:41:56:046 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_DEVICE_CONTROL : BA9093BB
17:41:56:046 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
17:41:56:046 3904 IRP_MJ_SHUTDOWN : BA9092E2
17:41:56:046 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:046 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_POWER : BA90AC82
17:41:56:046 3904 IRP_MJ_SYSTEM_CONTROL : BA90F99E
17:41:56:046 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:046 3904 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:41:56:046 3904
17:41:56:046 3904 Driver Name: USBSTOR
17:41:56:046 3904 IRP_MJ_CREATE : 89E6F500
17:41:56:046 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:046 3904 IRP_MJ_CLOSE : 89E6F500
17:41:56:046 3904 IRP_MJ_READ : 89E6F500
17:41:56:046 3904 IRP_MJ_WRITE : 89E6F500
17:41:56:046 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:046 3904 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:046 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_DEVICE_CONTROL : 89E6F500
17:41:56:046 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89E6F500
17:41:56:046 3904 IRP_MJ_SHUTDOWN : 804F355A
17:41:56:046 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:046 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:046 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:046 3904 IRP_MJ_POWER : 89E6F500
17:41:56:046 3904 IRP_MJ_SYSTEM_CONTROL : 89E6F500
17:41:56:046 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:046 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:046 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:062 3904 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:41:56:062 3904
17:41:56:062 3904 Driver Name: USBSTOR
17:41:56:062 3904 IRP_MJ_CREATE : 89E6F500
17:41:56:062 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:062 3904 IRP_MJ_CLOSE : 89E6F500
17:41:56:062 3904 IRP_MJ_READ : 89E6F500
17:41:56:062 3904 IRP_MJ_WRITE : 89E6F500
17:41:56:062 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:062 3904 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_DEVICE_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_SHUTDOWN : 804F355A
17:41:56:062 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:062 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_POWER : 89E6F500
17:41:56:062 3904 IRP_MJ_SYSTEM_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:062 3904 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:41:56:062 3904
17:41:56:062 3904 Driver Name: USBSTOR
17:41:56:062 3904 IRP_MJ_CREATE : 89E6F500
17:41:56:062 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:062 3904 IRP_MJ_CLOSE : 89E6F500
17:41:56:062 3904 IRP_MJ_READ : 89E6F500
17:41:56:062 3904 IRP_MJ_WRITE : 89E6F500
17:41:56:062 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:062 3904 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_DEVICE_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_SHUTDOWN : 804F355A
17:41:56:062 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:062 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_POWER : 89E6F500
17:41:56:062 3904 IRP_MJ_SYSTEM_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:062 3904 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:41:56:062 3904
17:41:56:062 3904 Driver Name: USBSTOR
17:41:56:062 3904 IRP_MJ_CREATE : 89E6F500
17:41:56:062 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:062 3904 IRP_MJ_CLOSE : 89E6F500
17:41:56:062 3904 IRP_MJ_READ : 89E6F500
17:41:56:062 3904 IRP_MJ_WRITE : 89E6F500
17:41:56:062 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:062 3904 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_DEVICE_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_SHUTDOWN : 804F355A
17:41:56:062 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:062 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_POWER : 89E6F500
17:41:56:062 3904 IRP_MJ_SYSTEM_CONTROL : 89E6F500
17:41:56:062 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:062 3904 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:41:56:062 3904
17:41:56:062 3904 Driver Name: Disk
17:41:56:062 3904 IRP_MJ_CREATE : BA90EBB0
17:41:56:062 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:062 3904 IRP_MJ_CLOSE : BA90EBB0
17:41:56:062 3904 IRP_MJ_READ : BA908D1F
17:41:56:062 3904 IRP_MJ_WRITE : BA908D1F
17:41:56:062 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:062 3904 IRP_MJ_FLUSH_BUFFERS : BA9092E2
17:41:56:062 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_DEVICE_CONTROL : BA9093BB
17:41:56:062 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
17:41:56:062 3904 IRP_MJ_SHUTDOWN : BA9092E2
17:41:56:062 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:062 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_POWER : BA90AC82
17:41:56:062 3904 IRP_MJ_SYSTEM_CONTROL : BA90F99E
17:41:56:062 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:062 3904 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:41:56:062 3904
17:41:56:062 3904 Driver Name: Disk
17:41:56:062 3904 IRP_MJ_CREATE : BA90EBB0
17:41:56:062 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:062 3904 IRP_MJ_CLOSE : BA90EBB0
17:41:56:062 3904 IRP_MJ_READ : BA908D1F
17:41:56:062 3904 IRP_MJ_WRITE : BA908D1F
17:41:56:062 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:062 3904 IRP_MJ_FLUSH_BUFFERS : BA9092E2
17:41:56:062 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_DEVICE_CONTROL : BA9093BB
17:41:56:062 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
17:41:56:062 3904 IRP_MJ_SHUTDOWN : BA9092E2
17:41:56:062 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:062 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_POWER : BA90AC82
17:41:56:062 3904 IRP_MJ_SYSTEM_CONTROL : BA90F99E
17:41:56:062 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:062 3904 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:41:56:062 3904
17:41:56:062 3904 Driver Name: atapi
17:41:56:062 3904 IRP_MJ_CREATE : BA5EAB40
17:41:56:062 3904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:41:56:062 3904 IRP_MJ_CLOSE : BA5EAB40
17:41:56:062 3904 IRP_MJ_READ : 804F355A
17:41:56:062 3904 IRP_MJ_WRITE : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_EA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_EA : 804F355A
17:41:56:062 3904 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:41:56:062 3904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_DEVICE_CONTROL : BA5EAB40
17:41:56:062 3904 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA5EAB40
17:41:56:062 3904 IRP_MJ_SHUTDOWN : 804F355A
17:41:56:062 3904 IRP_MJ_LOCK_CONTROL : 804F355A
17:41:56:062 3904 IRP_MJ_CLEANUP : 804F355A
17:41:56:062 3904 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_SET_SECURITY : 804F355A
17:41:56:062 3904 IRP_MJ_POWER : BA5EAB40
17:41:56:062 3904 IRP_MJ_SYSTEM_CONTROL : BA5EAB40
17:41:56:062 3904 IRP_MJ_DEVICE_CHANGE : 804F355A
17:41:56:062 3904 IRP_MJ_QUERY_QUOTA : 804F355A
17:41:56:062 3904 IRP_MJ_SET_QUOTA : 804F355A
17:41:56:078 3904 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
17:41:56:078 3904
17:41:56:078 3904 Completed
17:41:56:078 3904
17:41:56:078 3904 Results:
17:41:56:078 3904 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:41:56:078 3904 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:41:56:078 3904 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:41:56:078 3904
17:41:56:078 3904 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:41:56:078 3904 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:41:56:078 3904 KLMD(ARK) unloaded successfully

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 23rd April 2010, 12:49 am

Hmm, please run a new GMER scan and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 23rd April 2010, 4:47 pm

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-22 22:00:17
Windows 5.1.2600 Service Pack 3
Running: rijplco4.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pfddipog.sys


---- System - GMER 1.0.15 ----

SSDT BAF8235E ZwCreateKey
SSDT BAF82354 ZwCreateThread
SSDT BAF82363 ZwDeleteKey
SSDT BAF8236D ZwDeleteValueKey
SSDT spgn.sys ZwEnumerateKey [0xBA6CDDA4]
SSDT spgn.sys ZwEnumerateValueKey [0xBA6CE132]
SSDT BAF82372 ZwLoadKey
SSDT spgn.sys ZwOpenKey [0xBA6B50C0]
SSDT BAF82340 ZwOpenProcess
SSDT BAF82345 ZwOpenThread
SSDT spgn.sys ZwQueryKey [0xBA6CE20A]
SSDT spgn.sys ZwQueryValueKey [0xBA6CE08A]
SSDT BAF8237C ZwReplaceKey
SSDT BAF82377 ZwRestoreKey
SSDT BAF82368 ZwSetValueKey

INT 0x73 ? 8A5F7BF8
INT 0x82 ? 8A5F7BF8
INT 0xB1 ? 8A5FABF8
INT 0xB1 ? 8A5FABF8
INT 0xB1 ? 8A5FABF8
INT 0xB4 ? 8A0DCBF8
INT 0xB4 ? 8A0DCBF8
INT 0xB4 ? 8A0DCBF8
INT 0xB4 ? 8A0DCBF8

---- Kernel code sections - GMER 1.0.15 ----

? spgn.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B96DB8AC 5 Bytes JMP 8A0DC1D8
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B912C4D0 48 Bytes [CA, 40, A2, A0, E6, 43, D0, ...]
? C:\WINDOWS\System32\Drivers\vaxscsi.sys The process cannot access the file because it is being used by another process.
.text atde37pf.SYS B90F2386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text atde37pf.SYS B90F23AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text atde37pf.SYS B90F23C4 3 Bytes [00, 80, 02]
.text atde37pf.SYS B90F23C9 1 Byte [30]
.text atde37pf.SYS B90F23C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B90A94D0 48 Bytes [73, D4, 35, F3, CA, FE, 69, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6B6042] spgn.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6B613E] spgn.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6B60C0] spgn.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6B6800] spgn.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6B66D6] spgn.sys
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\atde37pf.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6C5B90] spgn.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6621F8

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Fastfat \FatCdrom 8A0281F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\usbohci \Device\USBPDO-0 89FC41F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6651F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6651F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6651F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6651F8
Device \Driver\usbohci \Device\USBPDO-1 89FC41F8
Device \Driver\usbehci \Device\USBPDO-2 89FB81F8
Device \Driver\PCI_PNP7320 \Device\00000053 spgn.sys
Device \Driver\PCI_PNP7320 \Device\00000054 spgn.sys
Device \Driver\PCI_PNP7320 \Device\00000055 spgn.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5F81F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5F81F8
Device \Driver\Cdrom \Device\CdRom0 8A0C71F8
Device \Driver\atapi \Device\Ide\IdePort0 [BA5EAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [BA5EAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [BA5EAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [BA5EAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [BA5EAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [BA5EAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8A0C71F8
Device \Driver\Cdrom \Device\CdRom2 8A0C71F8
Device \Driver\Cdrom \Device\CdRom3 8A0C71F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F19BB2CA-F797-4AC4-9E81-05E3C35A3D45} 89F66500
Device \Driver\Cdrom \Device\CdRom4 8A0C71F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89F66500
Device \Driver\NetBT \Device\NetbiosSmb 89F66500
Device \Driver\usbohci \Device\USBFDO-0 89FC41F8
Device \Driver\sptd \Device\2761803570 spgn.sys
Device \Driver\USBSTOR \Device\0000007a 89E6F500
Device \Driver\usbohci \Device\USBFDO-1 89FC41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89F37500
Device \Driver\usbehci \Device\USBFDO-2 89FB81F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89F37500
Device \Driver\USBSTOR \Device\0000007c 89E6F500
Device \Driver\USBSTOR \Device\0000007d 89E6F500
Device \Driver\Ftdisk \Device\FtControl 8A5F81F8
Device \Driver\USBSTOR \Device\0000007e 89E6F500
Device \Driver\USBSTOR \Device\0000007f 89E6F500
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 8A05C500
Device \Driver\atde37pf \Device\Scsi\atde37pf1 89F1E500
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port7Path0Target0Lun0 89EBE500
Device \Driver\atde37pf \Device\Scsi\atde37pf1Port6Path0Target0Lun0 89F1E500
Device \Driver\imagedrv \Device\Scsi\imagedrv1 8A6641F8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port5Path0Target0Lun0 8A05C500
Device \Driver\dtscsi \Device\Scsi\dtscsi1 89EBE500
Device \Driver\imagedrv \Device\Scsi\imagedrv1Port4Path0Target0Lun0 8A6641F8
Device \FileSystem\Fastfat \Fat 8A0281F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89F5E500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1258007312
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 852776835
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0x75 0xC0 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x24 0x11 0xD7 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0xE3 0xC6 0xA9 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x88 0x69 0x0A 0xC1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0xC7 0xA6 0x39 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x46 0xC4 0xB9 0xEC ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x24 0x11 0xD7 0xA0 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x55 0x08 0xFE 0x47 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x50 0x49 0xF6 0xE4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC8 0x9A 0x0E 0x06 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x50 0x5C 0xF4 ...

---- EOF - GMER 1.0.15 ----

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 23rd April 2010, 4:54 pm

Hello.
Were gonna need to find a clean version of atapi.sys

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    /md5start
    atapi.sys
    /md5stop


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the pink Quick Scan button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 23rd April 2010, 5:27 pm

OTL logfile created on: 4/23/2010 10:12:19 AM - Run 3
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Compaq_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.30 Gb Total Space | 120.43 Gb Free Space | 67.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 545.32 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive K: | 370.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive N: | 955.73 Mb Total Space | 509.11 Mb Free Space | 53.27% Space Free | Partition Type: FAT

Computer Name: HORIXON
Current User Name: Compaq_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/15 13:28:46 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/04/01 10:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/10/30 04:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/06/08 16:41:18 | 000,118,784 | ---- | M] (OLYMPUS IMAGING CORP.) -- C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
PRC - [2006/01/09 14:56:04 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\LxrSII1s.exe
PRC - [2005/08/03 00:19:16 | 000,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe


========== Modules (SafeList) ==========

MOD - [2010/04/15 13:28:46 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/03/01 21:02:24 | 001,029,456 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2007/01/19 12:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2006/01/09 14:56:04 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\LxrSII1s.exe -- (LxrSII1s)
SRV - [2005/08/03 00:19:16 | 000,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
SRV - [2005/07/13 21:18:10 | 000,065,536 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\VentSrv\ventrilo_svc.exe -- (Ventrilo)
SRV - [2005/04/01 10:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Disabled | Stopped] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- (StarWindService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.cwu.edu/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/11 12:47:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 18:00:57 | 000,000,000 | ---D | M]

[2008/09/16 18:18:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Extensions
[2010/04/22 17:00:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\extensions
[2010/01/23 12:23:23 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/01/23 12:39:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/04/22 16:01:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {70DE7956-479D-4EB7-8641-2B45774C350E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe (OLYMPUS IMAGING CORP.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BackupNoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} [You must be registered and logged in to see this link.] (Support.com Configuration Class)
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} [You must be registered and logged in to see this link.] (Enlite 2.x Simulation Engine Installer)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} [You must be registered and logged in to see this link.] (Solitaire Showdown Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.116.46.115 24.205.192.61 68.190.192.35
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/28 10:41:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/09/27 04:38:29 | 000,000,231 | R--- | M] () - J:\Autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2005/09/23 05:19:37 | 001,003,520 | R--- | M] (Microsoft Corporation) - J:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2007/06/26 10:55:39 | 000,000,053 | R--- | M] () - K:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{634fb0fd-b01a-11da-a22d-0015f26cb2d8}\Shell - "" = AutoRun
O33 - MountPoints2\{634fb0fd-b01a-11da-a22d-0015f26cb2d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{634fb0fd-b01a-11da-a22d-0015f26cb2d8}\Shell\AutoRun\command - "" = J:\autorun.exe -- [2005/09/23 05:19:37 | 001,003,520 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{634fb0fd-b01a-11da-a22d-0015f26cb2d8}\Shell\directx\command - "" = J:\directx9\DXSETUP.exe -- [2005/05/26 16:34:41 | 000,482,000 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{634fb0fd-b01a-11da-a22d-0015f26cb2d8}\Shell\setup\command - "" = J:\setup.exe -- [2005/09/27 03:21:52 | 000,253,952 | R--- | M] ()
O33 - MountPoints2\{634fb105-b01a-11da-a22d-0015f26cb2d8}\Shell - "" = AutoRun
O33 - MountPoints2\{634fb105-b01a-11da-a22d-0015f26cb2d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{634fb105-b01a-11da-a22d-0015f26cb2d8}\Shell\AutoRun\command - "" = K:\launcher.exe -- [2007/06/26 10:55:53 | 000,151,552 | R--- | M] (SCS Software)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 14 Days ==========

[2010/04/23 10:11:58 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe
[2010/04/22 22:01:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Avira
[2010/04/22 17:38:06 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Compaq_Administrator\Desktop\TDSSKiller.exe
[2010/04/22 16:07:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/21 18:27:17 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/04/21 18:27:14 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/04/21 18:27:14 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/04/21 18:27:14 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/04/21 18:27:14 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/04/21 18:27:13 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/21 18:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/04/16 00:38:29 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/16 00:38:29 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/16 00:38:29 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/16 00:38:29 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/16 00:37:53 | 000,000,000 | ---D | C] -- C:\Combo-Fix25308C
[2010/04/16 00:36:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/14 09:03:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/14 09:02:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/14 05:35:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/13 23:20:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/11 16:39:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/11 15:58:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/11 14:10:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/11 12:45:33 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/01/23 13:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/23 13:13:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/11/29 09:39:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/22 20:06:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/22 17:37:46 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\tdsskiller.zip
[2010/04/22 16:02:18 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/22 16:01:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/22 16:01:42 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/22 16:01:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/22 16:01:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/22 16:01:13 | 2078,855,168 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/22 16:00:23 | 012,845,056 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT
[2010/04/22 16:00:23 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Compaq_Administrator\ntuser.ini
[2010/04/22 15:45:47 | 012,275,628 | -H-- | M] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\IconCache.db
[2010/04/22 15:44:38 | 003,923,062 | R--- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
[2010/04/21 18:27:32 | 000,001,715 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/04/21 16:42:29 | 044,089,584 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\avira_antivir_personal_en.exe
[2010/04/20 08:44:51 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\c4h46gej.exe
[2010/04/20 08:44:30 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\rijplco4.exe
[2010/04/16 00:38:12 | 000,022,812 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\id7F4Wr0UP77
[2010/04/15 13:28:46 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe
[2010/04/14 16:28:33 | 000,450,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/13 04:55:40 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/11 13:10:47 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/11 12:32:28 | 000,020,682 | -HS- | M] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\aax2jNyu4r5m2
[2010/04/10 04:48:03 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\~$tabaga pizza.docx
[2010/04/10 03:00:07 | 000,014,662 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\Garden 2010.xlsx
[2010/04/09 23:46:52 | 000,052,267 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\Rutabaga pizza.docx
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/22 17:37:48 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\tdsskiller.zip
[2010/04/22 15:44:22 | 003,923,062 | R--- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
[2010/04/21 18:27:32 | 000,001,715 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/04/21 16:40:38 | 044,089,584 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\avira_antivir_personal_en.exe
[2010/04/21 16:10:28 | 2078,855,168 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/20 08:45:26 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\c4h46gej.exe
[2010/04/20 08:44:32 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\rijplco4.exe
[2010/04/16 00:38:29 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/16 00:38:29 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/16 00:38:29 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/16 00:38:29 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/16 00:38:29 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/14 21:53:14 | 000,022,812 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\id7F4Wr0UP77
[2010/04/11 03:39:48 | 000,020,682 | -HS- | C] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\aax2jNyu4r5m2
[2010/04/10 04:48:03 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\~$tabaga pizza.docx
[2010/04/10 02:56:42 | 000,014,662 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\Garden 2010.xlsx
[2010/03/05 11:33:44 | 000,000,686 | ---- | C] () -- C:\WINDOWS\ArcView9x.INI
[2010/02/20 14:34:58 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\OdiOlDVR.dll
[2010/02/20 14:34:58 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\OdiAPI.dll
[2010/01/29 08:29:07 | 000,072,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\LxrSII1d.sys
[2010/01/27 15:18:40 | 000,185,596 | ---- | C] () -- C:\Program Files\uninstra.log
[2009/09/04 00:30:58 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/08/11 14:01:46 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/04/13 22:42:04 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/07/08 19:05:57 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2007/06/07 23:15:43 | 000,133,932 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\Cosmos Prefs
[2007/03/28 20:49:00 | 000,000,324 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
[2007/01/27 17:37:47 | 000,000,573 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Checkers.class
[2007/01/27 17:37:17 | 000,000,311 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Checkers.java
[2007/01/27 17:37:17 | 000,000,181 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Checkers.java~
[2007/01/25 20:03:03 | 000,001,296 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\DrawMovingCar.class
[2007/01/25 20:02:35 | 000,012,273 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\DrawingPanel$DiffImage.class
[2007/01/25 20:02:35 | 000,009,919 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\DrawingPanel.class
[2007/01/25 20:02:35 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\DrawingPanel$1.class
[2007/01/25 20:02:33 | 000,025,669 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\DrawingPanel.java
[2007/01/25 20:00:54 | 000,000,857 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\DrawMovingCar.java~
[2007/01/25 20:00:54 | 000,000,857 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\DrawMovingCar.java
[2007/01/22 18:41:49 | 000,000,507 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Grades.java
[2007/01/15 12:35:27 | 000,000,440 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\SpaceNeedle.java~
[2007/01/15 12:35:27 | 000,000,440 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\SpaceNeedle.java
[2007/01/15 12:12:58 | 000,000,461 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\.drjava
[2007/01/05 17:09:50 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/07/25 11:11:10 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\start
[2006/07/24 21:46:00 | 000,000,106 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2006/07/24 21:39:49 | 000,000,073 | ---- | C] () -- C:\WINDOWS\APOapp.INI
[2006/07/24 21:39:28 | 000,015,164 | ---- | C] () -- C:\WINDOWS\mr310twc.ini
[2006/07/24 21:36:36 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\mr310exv.dll
[2006/07/24 21:36:36 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\mr310exd.dll
[2006/06/06 02:48:50 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\bittorrent_errors.log
[2006/04/28 14:39:54 | 000,003,950 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\PatchUpdate_IZClosingDiscError.log
[2006/04/28 14:39:54 | 000,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2006/04/14 07:59:17 | 000,009,178 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
[2006/04/14 07:59:17 | 000,000,228 | ---- | C] () -- C:\WINDOWS\HP_ISRegionListUpdatelog_HPSU.ini
[2006/04/10 20:26:41 | 000,000,088 | ---- | C] () -- C:\WINDOWS\StyleBuilder.INI
[2006/04/07 00:36:19 | 000,003,083 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\PatchUpdate_InstantShareJPG.log
[2006/04/07 00:36:19 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2006/03/27 17:14:37 | 000,000,068 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/03/10 15:46:22 | 000,223,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\vaxscsi.sys
[2006/03/10 15:42:14 | 000,223,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\dtscsi.sys
[2006/03/08 01:49:27 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2006/03/08 00:47:05 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2006/02/16 01:14:11 | 001,829,009 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\btdownloadgui_errors.log
[2006/01/26 09:14:04 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/01/22 00:36:30 | 000,001,337 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/01/21 18:00:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/01/21 14:48:36 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\.gtk-bookmarks
[2006/01/16 16:42:12 | 000,130,048 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/16 16:38:26 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2006/01/16 13:17:27 | 000,000,143 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\fusioncache.dat
[2006/01/16 13:17:24 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG
[2006/01/16 13:17:24 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Compaq_Administrator\ntuser.ini
[2006/01/16 13:17:23 | 012,845,056 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT
[2006/01/16 13:16:33 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2006/01/16 13:16:33 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2006/01/06 09:34:58 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/11/11 14:57:17 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/11/11 14:36:25 | 000,022,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2005/11/11 14:31:25 | 000,012,989 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2005/11/11 14:31:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2005/11/11 14:28:57 | 000,000,054 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/11/11 14:26:49 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/11/11 14:17:29 | 000,023,886 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/11/11 14:16:33 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2005/11/11 14:11:36 | 000,002,779 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/11/11 14:10:40 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/11/11 13:55:07 | 000,000,880 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/11/11 13:48:35 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/10/05 13:50:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/03 00:19:16 | 000,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2005/02/23 09:57:35 | 000,971,776 | ---- | C] () -- C:\WINDOWS\System32\SSCProt.dll
[2004/07/26 22:51:38 | 000,000,592 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1997/06/25 16:24:16 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\RegObj.dll
[1997/06/13 18:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== LOP Check ==========

[2007/04/03 16:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2007/07/08 19:05:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/01/23 12:42:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/03/05 11:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESRI
[2009/11/19 10:51:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\myitlab
[2007/01/15 12:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSH
[2009/06/18 19:59:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2006/02/19 02:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\.bittorrent
[2007/04/03 16:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Azureus
[2010/01/23 13:23:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\DAEMON Tools Lite
[2005/11/11 14:15:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Digital Interactive Systems Corporation
[2010/03/07 00:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\ESRI
[2006/01/18 00:50:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\funkitron
[2009/05/21 10:09:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\GetRightToGo
[2006/07/24 19:34:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\iMesh
[2006/01/16 15:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\InterVideo
[2006/01/16 15:47:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Leadertech
[2007/01/15 12:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\SSH
[2007/03/28 20:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Template
[2009/05/21 10:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Uniblue
[2006/03/07 22:48:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Vso
[2006/03/03 09:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\VSO_HWE
[2010/04/22 20:06:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ATAPI.SYS >
[2008/04/14 05:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/04/14 05:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 05:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
< End of report >

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 23rd April 2010, 5:36 pm

Hello.
Please navigate to this file:
C:\WINDOWS\Driver Cache\i386\sp3.cab

Double click it and it will open like a folder.

Inside there, there is atapi.sys, right click, select Extract.

If will open a window for where you want it extracted to, select C:\ so it extracts the file to the root of your C:\ drive.



Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {70DE7956-479D-4EB7-8641-2B45774C350E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    [2010/04/14 21:53:14 | 000,022,812 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\id7F4Wr0UP77
    [2010/04/11 03:39:48 | 000,020,682 | -HS- | C] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\aax2jNyu4r5m2


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 23rd April 2010, 6:08 pm

========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{70DE7956-479D-4EB7-8641-2B45774C350E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70DE7956-479D-4EB7-8641-2B45774C350E}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
C:\Documents and Settings\All Users\Application Data\id7F4Wr0UP77 moved successfully.
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\aax2jNyu4r5m2 moved successfully.

OTL by OldTimer - Version 3.2.1.1 log created on 04232010_105929

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 23rd April 2010, 10:16 pm

Okay, did you extract the file to root of C:\ drive? just checking. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 24th April 2010, 12:05 am

Yes I did extract the file to root of the C:\ drive.

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 24th April 2010, 5:21 pm

Hello.
Okay, do next:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    FCopy::
    C:\atapi.sys | C:\WINDOWS\ERDNT\cache\atapi.sys
    C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 25th April 2010, 12:09 am

Okay, did that and here is the log that was produced:

ComboFix 10-04-21.01 - Compaq_Administrator 04/24/2010 15:54:29.7.1 - x86
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\atapi.sys --> c:\WINDOWS\ERDNT\cache\atapi.sys
c:\atapi.sys --> c:\WINDOWS\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-23 17:58 . 2008-04-14 07:10 96512 ------w- C:\atapi.sys
2010-04-23 05:01 . 2010-04-23 05:01 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Avira
2010-04-22 01:27 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-22 01:27 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-22 01:27 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-22 01:27 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-22 01:27 . 2010-04-22 01:27 -------- d-----w- c:\program files\Avira
2010-04-22 01:27 . 2010-04-22 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-04-19 01:45 . 2008-04-14 07:10 5504 ----a-w- C:\intelide.sys
2010-04-16 07:37 . 2010-04-16 08:08 -------- d-----w- C:\Combo-Fix25308C
2010-04-14 06:20 . 2010-04-14 06:20 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 20:15 . 2009-06-18 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 20:11 . 2010-01-23 19:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-06-18 14:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-06-18 14:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 23:39 . 2010-01-27 22:12 -------- d-----w- c:\program files\Revealing Archaeology
2010-03-12 09:02 . 2006-01-16 20:17 142992 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-07 07:23 . 2010-03-05 18:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ESRI
2010-03-05 18:25 . 2010-03-05 18:25 -------- d-----w- c:\program files\ESRI
2010-03-05 18:16 . 2010-03-05 18:10 -------- d-----w- c:\program files\ArcGIS
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-03-05 18:15 . 2010-03-05 18:15 -------- d-----w- c:\program files\Leica Geosystems
2010-03-05 18:14 . 2010-03-05 18:12 -------- d-----w- c:\program files\Common Files\ESRI
2010-03-05 18:11 . 2010-03-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ESRI
2010-01-27 22:18 . 2010-01-27 22:18 185596 ----a-w- c:\program files\uninstra.log
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-04-22 01:27 . 2009-05-11 17:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-04-14 12:00 . 2008-04-14 07:10 96512 c:\windows\system32\dllcache\atapi.sys
+ 2009-07-12 07:02 . 2009-07-12 07:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-04-21 23:44 . 2010-04-21 23:44 219648 c:\windows\Installer\1fe665.msi
+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-2-20 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk
backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-02 04:02 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 07:19 77312 ----a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
2009-04-24 22:22 1833984 ----a-w- c:\program files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1137892249\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-10 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 21:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2004-10-25 22:17 90112 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-15 07:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-06-06 21:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-10-24 22:53 307200 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"freenet-darknet-8888"=3 (0x3)
"avg8wd"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 ATIXPGAA;ATIXPGAA;c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [x]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-19 64160]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2006-12-14 72672]
S3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2006-03-10 223128]

.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:02]

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\bl51p9w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-24 17:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spqt.sys >>UNKNOWN [0x8A618938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba674cb8
\Driver\atapi -> atapi.sys @ 0xba5eab40
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba47bbd4
PacketIndicateHandler -> NDIS.sys @ 0xba487a21
SendHandler -> NDIS.sys @ 0xba47bd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\arservice.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\ehome\mcrdsvc.exe
.
**************************************************************************
.
Completion time: 2010-04-24 17:06:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-25 00:06
ComboFix2.txt 2010-04-22 23:07
ComboFix3.txt 2010-04-21 23:17
ComboFix4.txt 2010-04-21 18:26
ComboFix5.txt 2010-04-24 22:52

Pre-Run: 129,277,820,928 bytes free
Post-Run: 129,220,919,296 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - 71C95F3EA72212E44FA5BE058F5D9491

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 25th April 2010, 8:42 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 27th April 2010, 5:12 am

The computer seems to be running well now. Thank you very much for your wonderful assistance!

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 27th April 2010, 8:39 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by EMattvargas on 3rd May 2010, 7:14 am

I apologize for the long response time, I did not think to check back to make sure that everything was cleared. This is the log file that was produced by running Eset:

# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7ebda1d04654fb4dab589b1dd317920a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-03 06:16:34
# local_time=2010-05-02 11:16:34 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=130065
# found=2
# cleaned=2
# scan_time=6098
C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP11\A0001081.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

EMattvargas
Novice
Novice

Posts Posts : 28
Joined Joined : 2010-04-11
OS OS : windows xp
Points Points : 24714
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security XP / redirect troubles

Post by Belahzur on 3rd May 2010, 9:55 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum