View Full Version : serach redirect and new window popup ads.
buddycraigg
2010-02-03, 06:55
About 2 weeks ago I was watching a news video on yahoo. And out of nowhere i got like 7 spybot "access denied" or something like that above the clock. in the lower right corner.
An advertisement came up saying that my computer was infected and I needed to purchase Internet Security 2010.
I knew it was a scam and just shut down the computer to deal with it the next night.
I followed the instructions here
http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2010
and everything seemed fine.
About last week, I noticed google redirects and small pop up windows.
I have a 17yo stepson that knows everything and may have ran other programs. I found these setup files in the recycle bin.
super anti spyware
ad aware
avira
So these may or may not have been tried.
I asked him, but as a parent, do you know when a teenager is lying???
When their mouth is moving.
I ran the maulwarebytes thing from the instructions in the other link.
spybot was already installed and running.
AVG was installed and running.
anyway, here's my log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:36 PM, on 2/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ondemand5.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O23 - Service: Google Update Service (gupdate1c97e9c79feed18) (gupdate1c97e9c79feed18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5786 bytes
Hello buddycraigg
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
First open Malwarebytes and go to the Logs tab, open it and copy and paste the log into this thread.
Please download RootRepeal from one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
buddycraigg
2010-02-07, 12:33
hello ken545.
Thank you for trying to help me.
I had already followed the steps listed in Before you post
buddycraigg
2010-02-07, 13:07
DAMN
I assumed that I would be able to edit my post to add this log file.
But I have to make a new post to my thread.
Malwarebytes' Anti-Malware 1.44
Database version: 3649
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
1/28/2010 12:01:54 AM
mbam-log-2010-01-28 (00-01-54).txt
Scan type: Full Scan (C:\|)
Objects scanned: 163771
Time elapsed: 1 hour(s), 5 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{149966B9-0AD4-4C3A-9CC2-D96281C9EA09}\RP759\A0105439.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{149966B9-0AD4-4C3A-9CC2-D96281C9EA09}\RP759\A0106444.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{149966B9-0AD4-4C3A-9CC2-D96281C9EA09}\RP759\A0106445.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
What Malwarebytes found where bad entries in your System Restore Program and those entries are nasty.
Lets see what RootRepeal and OTL finds
buddycraigg
2010-02-08, 07:36
Lets see what RootRepeal and OTL finds
I feel like an idiot
I didn't include the second half of my last message the other night.
so I'm going to start over.
SOME members of the house don't care if there is a problem with the computer and keep using it.
So I put a bios password on it so I will be the only person messing with it until it's fixed.
here is tonight's Malwarebytes log...
Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
2/7/2010 7:56:40 PM
mbam-log-2010-02-07 (19-56-40).txt
Scan type: Full Scan (C:\|)
Objects scanned: 168844
Time elapsed: 44 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{149966B9-0AD4-4C3A-9CC2-D96281C9EA09}\RP773\A0107755.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{149966B9-0AD4-4C3A-9CC2-D96281C9EA09}\RP773\A0107756.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
.
.
RootRepeal hangs every time I try it.
I let it sit for 2 hours tonight before I did a hard reboot by holding in the power button.
It will scan
Drivers
Processes
SSDT
but hangs on Hidden Services
The clock in the lower right corner stops
I can not move the pointer
and the hard drive light on the front of the tower stays on solid.
CTRL+ALT+DELETE does nothing.
for what it's worth, here are the logs for Drivers, Processes, SSDT
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/07 20:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xF793F000 Size: 16384 File Visible: No Signed: -
Status: -
Name: dump_nvidesm.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvidesm.sys
Address: 0xB374C000 Size: 20480 File Visible: No Signed: -
Status: -
Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xB6FCC000 Size: 49152 File Visible: No Signed: -
Status: -
==EOF==
.
.
.
.
.
.
.
.
OTL seemed to run.
OTL logfile created on: 2/7/2010 8:56:30 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\buddy\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 85.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 2.10 Gb Free Space | 11.25% Space Free | Partition Type: NTFS
Drive D: | 111.76 Gb Total Space | 75.52 Gb Free Space | 67.58% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DADDY-TP53Z8UEU
Current User Name: buddy
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\buddy\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\LEXPPS.EXE (Lexmark International, Inc.)
PRC - C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\buddy\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (gupdate1c97e9c79feed18) Google Update Service (gupdate1c97e9c79feed18) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (LexBceS) -- C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc.)
========== Driver Services (SafeList) ==========
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (Point32) -- C:\WINDOWS\system32\drivers\point32.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (EIO) -- C:\WINDOWS\system32\drivers\EIO.sys (ASUSTeK Computer Inc.)
DRV - (NVENET) -- C:\WINDOWS\system32\drivers\NVENET.sys (NVIDIA Corporation)
DRV - (nvidesm) -- C:\WINDOWS\system32\drivers\nvidesm.sys (NVIDIA Corporation)
DRV - (nv_agp) -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PSC60x) Philips PCI Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\pscaudio.sys (Philips Components (PSS))
DRV - (SONYPVU1) Sony USB Filter Driver (SONYPVU1) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS (Sony Corporation)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (HCW848NT) -- C:\WINDOWS\system32\drivers\HCW848NT.sys (Hauppauge Computer Works)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ondemand5.com/
IE - HKCU\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
========== FireFox ==========
FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.33.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.1.20080205
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.%(version)s
FF - HKLM\software\mozilla\Firefox\extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2009/10/28 22:32:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/07 18:11:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 06:46:17 | 000,000,000 | ---D | M]
[2008/12/04 19:50:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buddy\Application Data\Mozilla\Extensions
[2010/02/03 21:41:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\extensions
[2008/07/08 17:31:35 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/02/02 20:12:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/12 15:36:00 | 000,073,789 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npjwp.dll
O1 HOSTS File: ([2007/10/20 00:21:32 | 000,192,954 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 6834 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 31 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxacm.CAB (Reg Error: Key error.)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab (CKAVWebScan Object)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe (Virtools WebPlayer Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/19 20:25:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/02/07 05:19:46 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\buddy\Desktop\OTL.exe
[2010/02/07 05:19:17 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\buddy\Desktop\RootRepeal(2).exe
[2010/02/07 05:09:21 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\buddy\Desktop\RootRepeal.exe
[2010/02/04 20:00:09 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/04 20:00:07 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/03 22:03:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Local Settings\Application Data\wbktgf
[2010/02/03 22:03:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Local Settings\Application Data\ilxfsd
[2010/02/02 21:48:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/02 21:48:08 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/02/02 21:38:02 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\buddy\Desktop\erunt-setup.exe
[2010/02/02 21:24:25 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/02 21:24:25 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/02 21:24:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/02 21:24:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/02 21:22:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/02/02 21:22:40 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/02/02 18:58:27 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/02 18:58:18 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\buddy\Desktop\HJTInstall.exe
[2010/02/02 18:51:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/01 21:37:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/01/31 20:49:23 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/01/30 20:40:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/01/30 20:21:50 | 091,338,304 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\buddy\Desktop\Ad-AwareInstallation.exe
[2010/01/30 00:54:57 | 000,891,248 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\buddy\Desktop\avg_free_stb_all_9_40_cnet(2).exe
[2010/01/28 00:41:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/28 00:40:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Application Data\SUPERAntiSpyware.com
[2010/01/28 00:40:06 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/27 22:43:59 | 005,061,512 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\buddy\Desktop\mbam-setup.exe
[2010/01/27 20:54:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/01/27 20:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Application Data\Malwarebytes
[2010/01/27 20:25:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/27 20:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/27 02:22:17 | 000,000,000 | ---D | C] -- C:\ComputerRequirementsTemp
[2010/01/26 23:55:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Desktop\oh death01_data
[2010/01/24 03:42:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Desktop\ms2fb
[2010/01/24 03:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Local Settings\Application Data\bhxcdy
[2010/01/23 00:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\buddy\Desktop\CD
[2010/01/13 07:13:40 | 000,470,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/02/11 18:12:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/01/24 21:24:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/02/07 20:51:36 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/07 20:51:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/07 20:51:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/07 20:37:53 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\buddy\NTUSER.DAT
[2010/02/07 20:04:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\settings.dat
[2010/02/07 19:57:00 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\buddy\ntuser.ini
[2010/02/07 19:36:04 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/07 05:19:44 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\buddy\Desktop\OTL.exe
[2010/02/07 05:19:14 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\buddy\Desktop\RootRepeal(2).exe
[2010/02/07 05:09:18 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\buddy\Desktop\RootRepeal.exe
[2010/02/07 02:43:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/07 00:35:40 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/06 01:30:55 | 000,119,296 | ---- | M] () -- C:\Documents and Settings\buddy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/04 20:00:12 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/04 03:27:24 | 000,000,565 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI
[2010/02/04 03:27:24 | 000,000,032 | ---- | M] () -- C:\WINDOWS\HCWBTDLG.INI
[2010/02/02 21:48:09 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\ERUNT.lnk
[2010/02/02 21:38:01 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\buddy\Desktop\erunt-setup.exe
[2010/02/02 20:51:48 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\buddy\Local Settings\Application Data\prvlcl.dat
[2010/02/02 20:43:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/02 20:43:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/02 18:58:34 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\HijackThis.lnk
[2010/02/02 18:58:20 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\buddy\Desktop\HJTInstall.exe
[2010/02/02 18:45:32 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/02 18:45:32 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/02 00:42:03 | 000,000,517 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/02 00:42:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/02 00:42:03 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/02/01 21:35:16 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/02/01 03:03:38 | 003,841,968 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\ComboFix.exe
[2010/01/31 20:33:28 | 030,909,992 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\avira_antivir_personal_en.exe
[2010/01/30 20:38:35 | 091,338,304 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\buddy\Desktop\Ad-AwareInstallation.exe
[2010/01/30 00:54:55 | 000,891,248 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\buddy\Desktop\avg_free_stb_all_9_40_cnet(2).exe
[2010/01/28 00:37:18 | 007,520,288 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\SUPERAntiSpyware.exe
[2010/01/27 22:44:14 | 005,061,512 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\buddy\Desktop\mbam-setup.exe
[2010/01/27 10:23:46 | 000,263,168 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\rkill.com
[2010/01/27 01:29:25 | 000,000,001 | ---- | M] () -- C:\s
[2010/01/27 00:17:52 | 000,004,512 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\oh death01.aup
[2010/01/27 00:13:01 | 000,004,666 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\oh death01.aup.bak
[2010/01/23 02:16:57 | 012,620,844 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\oh death.wav
[2010/01/17 06:16:46 | 001,938,996 | ---- | M] () -- C:\Documents and Settings\buddy\Desktop\Don Ho...Tiny Bubbles!.wmv
[2010/01/14 02:18:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/02/07 20:04:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\settings.dat
[2010/02/04 20:00:12 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/02 21:48:09 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\ERUNT.lnk
[2010/02/02 18:58:34 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\HijackThis.lnk
[2010/02/01 03:03:37 | 003,841,968 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\ComboFix.exe
[2010/01/31 20:29:16 | 030,909,992 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\avira_antivir_personal_en.exe
[2010/01/30 20:45:18 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/30 20:45:18 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/30 20:45:18 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/30 20:45:18 | 000,000,458 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/30 20:45:18 | 000,000,458 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/30 08:18:27 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\buddy\Local Settings\Application Data\prvlcl.dat
[2010/01/28 00:37:01 | 007,520,288 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\SUPERAntiSpyware.exe
[2010/01/27 20:18:54 | 000,263,168 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\rkill.com
[2010/01/27 01:29:25 | 000,000,001 | ---- | C] () -- C:\s
[2010/01/26 23:55:24 | 000,004,666 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\oh death01.aup.bak
[2010/01/26 23:55:24 | 000,004,512 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\oh death01.aup
[2010/01/26 23:42:50 | 012,620,844 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\oh death.wav
[2010/01/17 06:16:33 | 001,938,996 | ---- | C] () -- C:\Documents and Settings\buddy\Desktop\Don Ho...Tiny Bubbles!.wmv
[2009/11/15 02:22:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009/11/15 02:19:24 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS49.DLL
[2009/03/23 20:38:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/03/10 22:45:05 | 000,007,298 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/11/21 18:40:36 | 000,003,630 | ---- | C] () -- C:\WINDOWS\jw9p.ini
[2008/09/28 18:20:44 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/09/28 18:19:40 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2008/09/28 18:19:39 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/11/28 01:17:16 | 000,119,296 | ---- | C] () -- C:\Documents and Settings\buddy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/27 22:07:38 | 000,000,335 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2007/10/21 01:28:40 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SetOutput60x.dll
[2007/10/19 23:06:39 | 000,000,032 | ---- | C] () -- C:\WINDOWS\HCWBTDLG.INI
[2007/10/19 23:04:48 | 000,000,565 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2007/10/19 21:42:15 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/28 10:07:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/09/28 10:05:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/09/28 10:05:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/09/28 10:05:08 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/09/17 00:07:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/09/17 00:07:00 | 001,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/09/17 00:07:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/09/17 00:07:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/09/17 00:07:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
========== LOP Check ==========
[2008/05/01 21:17:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Future Systems Solutions
[2007/12/18 20:13:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2007/10/20 00:31:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/03/02 00:09:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2007/10/20 00:46:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2008/05/01 21:16:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buddy\Application Data\Future Systems Solutions
[2007/12/18 20:13:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buddy\Application Data\iolo
[2008/09/28 18:20:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buddy\Application Data\pdf995
[2007/10/22 19:30:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buddy\Application Data\Ulead Systems
[2009/10/04 15:04:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buddy\Application Data\XNote Stopwatch
[2010/02/02 20:43:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/02/07 02:43:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/02/02 18:45:32 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/02/02 18:45:32 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/02/02 20:43:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
========== Purity Check ==========
< End of report >
.
.
.
.
.
.
.
.
.
OTL Extras logfile created on: 2/7/2010 8:56:30 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\buddy\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 85.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 2.10 Gb Free Space | 11.25% Space Free | Partition Type: NTFS
Drive D: | 111.76 Gb Total Space | 75.52 Gb Free Space | 67.58% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DADDY-TP53Z8UEU
Current User Name: buddy
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 13
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}" = Ulead VideoStudio 7 SE DVD
"{7602015C-88CB-4301-934D-C285B5BAA700}" = Philips Sound Agent 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BC2FE771-EDBE-3087-A676-2B6C45A2BF7E}" = Google Gears
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{DD77FBEB-7821-4065-A83B-BA03DA94B930}" = Casper 4.0
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Audacity_is1" = Audacity 1.2.6
"Bink and Smacker" = Bink and Smacker
"Canon PhotoStitch 3.1" = Canon Utilities PhotoStitch 3.1
"CANONBJ_Deinstall_CNMCP49.DLL" = Canon i550
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"ERUNT_is1" = ERUNT 1.1j
"Hauppauge English Help Files and Resources" = Hauppauge English Help Files and Resources
"Hauppauge WinTV NT4/Win2000 Drivers" = Hauppauge WinTV NT4/Win2000 Drivers
"Hauppauge WinTV2000" = Hauppauge WinTV2000
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InterActual Player" = InterActual Player
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"Lexmark 510 Series" = Lexmark 510 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAnForce" = NVIDIA Windows 2000/XP nForce Drivers
"Pdf995" = Pdf995
"Pennock's Image Poster_is1" = Pennock's Image Poster v1.07
"Pennock's Photo Renamer_is1" = Pennock's Photo Renamer v1.0
"PhotoRecord" = Canon PhotoRecord
"PSC Audio Driver" = PSC Audio Driver
"RealPlayer 6.0" = RealPlayer
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XNote Stopwatch" = XNote Stopwatch
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager
"ZoomBrowserEXDeInstall" = Canon Utilities ZoomBrowser EX
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 4/24/2009 2:34:34 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 4/24/2009 2:57:26 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00036dfa.
Error - 4/26/2009 1:11:02 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00036dfa.
Error - 4/26/2009 1:43:14 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module agcore.dll, version 2.0.40115.0, fault address 0x0001255b.
Error - 4/26/2009 2:59:41 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00036dfa.
Error - 4/26/2009 3:01:05 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Error | ID = 1001
Description = Fault bucket 1232240568.
Error - 4/26/2009 3:22:43 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00036dfa.
Error - 4/26/2009 3:24:42 AM | Computer Name = DADDY-TP53Z8UEU | Source = Application Error | ID = 1001
Description = Fault bucket 1232240568.
Error - 5/13/2009 8:08:14 PM | Computer Name = DADDY-TP53Z8UEU | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 5/30/2009 2:19:37 AM | Computer Name = DADDY-TP53Z8UEU | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office XP Professional with FrontPage -- Error
1706. Setup cannot find the required files. Check your connection to the network,
or CD-ROM drive. For other potential solutions to this problem, see C:\Program
Files\Microsoft Office\Office10\1033\SETUP.HLP.
[ System Events ]
Error - 2/7/2010 10:51:57 PM | Computer Name = DADDY-TP53Z8UEU | Source = nvidesm | ID = 262153
Description = The device, \Device\Scsi\nvidesm1, did not respond within the timeout
period.
Error - 2/7/2010 10:51:57 PM | Computer Name = DADDY-TP53Z8UEU | Source = nvidesm | ID = 262153
Description = The device, \Device\Scsi\nvidesm1, did not respond within the timeout
period.
< End of report >
buddycraigg
2010-02-08, 07:45
and thank you for your time.
Hi,
Combofix has been run on this computer before, if its run on your own without supervision , this forum, myself and sUbs will not be responsible to any damage that it may do. Its a very powerful tool and what it can fix on one system it may damage another.
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:dir
C:\Documents and Settings\buddy\Local Settings\Application Data\wbktgf
C:\Documents and Settings\buddy\Local Settings\Application Data\ilxfsd
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
You have Combofix on your desktop, drag it to the trash and download a new copy.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
buddycraigg
2010-02-09, 03:44
I dont think combofix had actually be run before, because I had to install the microsoft recovery console.
Here's tonights exciting log files....
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:06 on 08/02/2010 by buddy (Administrator - Elevation successful)
========== dir ==========
C:\Documents and Settings\buddy\Local Settings\Application Data\wbktgf - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
C:\Documents and Settings\buddy\Local Settings\Application Data\ilxfsd - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
-=End Of File=-
ComboFix 10-02-08.04 - buddy 02/08/2010 19:14:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1717 [GMT -6:00]
Running from: c:\documents and settings\buddy\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\s
C:\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.
2010-02-03 03:48 . 2010-02-03 03:48 -------- d-----w- c:\program files\ERUNT
2010-02-03 00:58 . 2010-02-03 00:58 -------- d-----w- c:\program files\Trend Micro
2010-02-01 02:49 . 2010-02-02 03:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-31 02:40 . 2010-01-31 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 14:18 . 2010-02-03 02:51 0 ----a-w- c:\documents and settings\buddy\Local Settings\Application Data\prvlcl.dat
2010-01-28 06:41 . 2010-01-28 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\documents and settings\buddy\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-28 02:58 . 2010-01-28 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\buddy\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-02-05 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 08:22 . 2010-01-27 08:22 -------- d-----w- C:\ComputerRequirementsTemp
2010-01-24 09:18 . 2010-01-26 18:09 -------- d-----w- c:\documents and settings\buddy\Local Settings\Application Data\bhxcdy
2010-01-13 13:13 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 08:35 . 2008-04-17 23:37 -------- d-----w- c:\documents and settings\buddy\Application Data\Move Networks
2010-02-03 08:32 . 2010-02-03 08:32 144160 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\uninstall.exe
2010-02-03 08:32 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-03 08:32 . 2010-02-03 08:32 1436320 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-02-03 08:19 . 2010-02-03 08:19 1956072 ----a-w- c:\documents and settings\buddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-03 03:22 . 2007-10-20 06:14 -------- d-----w- c:\program files\SpywareGuard
2010-02-01 00:59 . 2007-10-20 06:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 07:01 . 2009-04-18 01:00 -------- d-----w- c:\program files\AVG
2010-01-27 08:11 . 2007-10-20 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 07:14 . 2009-03-14 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-07 22:07 . 2010-02-05 02:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2010-02-05 02:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2002-09-03 20:03 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-10-20 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-09-03 19:35 17408 ------w- c:\windows\system32\corpol.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-11-21 16:36 . 2002-09-03 19:32 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-11 198160]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 HCW848NT;Hauppauge Win/TV;c:\windows\system32\drivers\HCW848NT.sys [10/19/2007 10:25 PM 140440]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [10/21/2007 1:28 AM 365460]
S2 gupdate1c97e9c79feed18;Google Update Service (gupdate1c97e9c79feed18);c:\program files\Google\Update\GoogleUpdate.exe [1/24/2009 9:24 PM 133104]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ondemand5.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npjwp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 19:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvidesm.sys >>UNKNOWN [0x89B348C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a07b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7421ba0
PacketIndicateHandler -> NDIS.sys @ 0xf742eb21
SendHandler -> NDIS.sys @ 0xf740c87b
user & kernel MBR OK
**************************************************************************
.
Completion time: 2010-02-08 19:25:41
ComboFix-quarantined-files.txt 2010-02-09 01:25
Pre-Run: 4,095,668,224 bytes free
Post-Run: 4,273,262,592 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 594B88266DB604E3FD013128D785E9D5
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:23 PM, on 2/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ondemand5.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O23 - Service: Google Update Service (gupdate1c97e9c79feed18) (gupdate1c97e9c79feed18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5386 bytes
Hi,
You can go ahead and delete these
C:\Documents and Settings\buddy\Local Settings\Application Data\wbktgf
C:\Documents and Settings\buddy\Local Settings\Application Data\ilxfsd
c:\documents and settings\buddy\Local Settings\Application Data\bhxcdy
How are things running now ?
buddycraigg
2010-02-10, 05:10
Something is still going on.
using Firefox 3.0.17
a google search for "obama"
the first link was
www.obamadeception.net
redirected to
www.healthline.com
a google search for "ABC"
the first link was
http://abcnews.go.com/US/story?id=7736489&page=1
redirected to
http://hotjobs.yahoo.com/
a google search for "amazing grace"
the first link was
http://www.amazinggracemovie.com/
redirected to
http://www.addresses.com/yellow-pages/category:Amazing+Grace/location:Kansas+City,MO/listings.html
if I click on the link a second time, it goes to the correct page.
buddycraigg
2010-02-10, 05:13
and I just went to a car forum that I answer questions on.
and a small firefox window popped with this in the address bar
http://pop.doubleclick.net/popup2.php?r=Vb]ix%23D-~xQRgPqx]T%27%23%23}eg}U}%60Pn%27]Gx%40%23%60gE%60~%23Je~P6E]Pi%23
Doubleclick are tracking cookies.
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
buddycraigg
2010-02-10, 19:25
small problem...
I deleted those 3 folders.
Did a bit of surfing on the net.
and there was a bunch of security updates that microsoft forced on me.
and when it restarted, BAM!
BSOD.
pressed the power button.
BSOD again.
I am not aware of any windows updates that have caused any issues
Try this
With computer off press the power button
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
buddycraigg
2010-02-11, 02:30
I chose Last Known Good
that got me to the screen to pick recovery console or XP pro.
I chose xp pro.
when I pressed enter, the screen goes blank
and about 3 seconds later, i get the BSOD
Your going to have to choose the Recovery Console, don't know what the updates have done to cause this
buddycraigg
2010-02-11, 04:47
ok,
i'm in a DOS screen at the C:\WINDOWS prompt.
Hi,
Do you have your windows CD or recovery CD that came with your computer ?
http://support.microsoft.com/kb/307654
buddycraigg
2010-02-11, 17:41
yes.
If I'm going to need it i'll have to unplug the D drive and plug in the CDROM
Great, what I am going to do is link you to our sister sites windows forum and they can help you with the recovery, then post back here when your up and running and we will make sure your clean
Let them know that this happened after a windows update, you can link them to this thread if you wish so they can see what we have done.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
Ken
buddycraigg
2010-02-13, 04:53
Update KB977165 seems to have been my BSOD problem.
Whatthetech got me fixed up in no time.
GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:49 on 12/02/2010 (buddy)
Firefox version 3.0.17 (en-US)
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:52 20/10/2007]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [00:53 29/09/2008]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [00:47 22/11/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [03:34 25/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [06:36 24/04/2009]
C:\Documents and Settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [00:01 08/10/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [23:26 08/07/2008]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:46 22/11/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:53 05/10/2009]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [04:32 29/10/2009]
-=E.O.F=-
Great, WTT is our sister site and they are a great crew :bigthumb:
How are things running now, are you still being redirected ?
buddycraigg
2010-02-13, 06:03
yes, still being redireted.
buddycraigg
2010-02-13, 06:07
a search for "crew" sent me here
http://8002.1936_2710.local-search-pages.com/jump2/?affiliate=rs4&subid=1936_2710&terms=crew
a search for "nokia" sent me to
http://www.ononeworld.com/?mkt=us&keywords=nokia&referrer=lsm2&category=ron&kwid=nokia&lpid=60713-2710&veri=newslost.com
a search for prague sent me to
http://lsbf.60712.asklots.com/jump2/?affiliate=lsbf&subid=60712&terms=prague
buddycraigg
2010-02-13, 07:05
Ok I've got 2 small window pop ups in firefox
http://pop.doubleclick.net/popup2.php?r=n]%23_}G%60Q%22g~g]xG5Qe%40%27xe%3B%60]}F%23%60%27Px
and
http://pp.directaclick.com/popup2.php?r=GP\8nkE_VP\-c4Z%40ece-%40G%26gRRR%27I%23P.GPU\Zcx4U%23nc4%3BZPP_%26_EJec}eE4xccRZcG%23k%60%3BcG1P%3BZ_nPZgnqEPQkZxEGUQWUG_wk%40gZQgGR}JPaQ%23e]ERUqZZZ%60Q{T\%3BQaRQRPnc%60ZbZU%27nQe-Q%264xeQ~WeRP%3BkP\UgFJ%26R%27%3BFQgQ4PF~Q~wTaRQfnP6%27%60__W]%6048~U4%27}REP\RkRiwcGcZtiJ%3BcPe_
We are looking at your master boot record possibly being infected.
Download mbr.exe to your Desktop.
http://www2.gmer.net/mbr/mbr.exe
Right click it and select CUT
click on My Computer
Click on your C:\ drive to open it
Then up on the toolbar click on Edit > Paste or right click anywhere in C and select Paste. mbr.exe has to be in C:\
You can close my computer
Then go to Start > Run and copy and paste this in
cmd /c mbr -t>"%userprofile%\Desktop\mbr.txt"
Click OK
It will place a text file on your desktop, copy and paste it for me to see please
buddycraigg
2010-02-14, 01:59
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvidesm.sys >>UNKNOWN [0x89B4D8C8]<<
kernel: MBR read successfully
user & kernel MBR OK
Lets dig deeper for a rootkit
Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
Next:
Please download GMER from one of the following locations and save it to your desktop:
Main Mirror (http://gmer.net/download.php)
This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip)
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
buddycraigg
2010-02-14, 04:41
DeFogger did not give me any error message.
but it also did NOT ask to reboot.
So I did a normal restart
and I'll post the logs just in case.
defogger_disable by jpshortstuff (29.01.10.1)
Log created at 19:27 on 13/02/2010 (buddy)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
something else odd, while GMER was running, and the ethernet cable was unplugged, microsoft was giving me updates.??? it was KB977165
I did not let it install
and here's gmer's log
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-13 20:31:32
Windows 5.1.2600 Service Pack 2
Running: yh3d6ukr.exe; Driver: C:\DOCUME~1\buddy\LOCALS~1\Temp\fwrirkod.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\nvidesm.sys entry point in ".rsrc" section [0xF771B380]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7744A1E]
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\nvidesm.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Good Morning,
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract the file and run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
please post the content of that log TDSSKiller
buddycraigg
2010-02-15, 02:38
18:33:32:328 3948 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
18:33:32:328 3948 ================================================================================
18:33:32:328 3948 SystemInfo:
18:33:32:328 3948 OS Version: 5.1.2600 ServicePack: 2.0
18:33:32:328 3948 Product type: Workstation
18:33:32:328 3948 ComputerName: DADDY-TP53Z8UEU
18:33:32:328 3948 UserName: buddy
18:33:32:328 3948 Windows directory: C:\WINDOWS
18:33:32:328 3948 Processor architecture: Intel x86
18:33:32:328 3948 Number of processors: 1
18:33:32:328 3948 Page size: 0x1000
18:33:32:328 3948 Boot type: Normal boot
18:33:32:328 3948 ================================================================================
18:33:32:343 3948 UnloadDriverW: NtUnloadDriver error 2
18:33:32:343 3948 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:33:32:359 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:33:32:390 3948 UtilityInit: KLMD drop and load success
18:33:32:390 3948 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
18:33:32:390 3948 UtilityInit: KLMD open success
18:33:32:390 3948 UtilityInit: Initialize success
18:33:32:390 3948
18:33:32:390 3948 Scanning Services ...
18:33:32:390 3948 CreateRegParser: Registry parser init started
18:33:32:390 3948 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
18:33:32:390 3948 CreateRegParser: DisableWow64Redirection error
18:33:32:390 3948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:33:32:390 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
18:33:32:390 3948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:33:32:390 3948 wfopen_ex: Trying to KLMD file open
18:33:32:390 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
18:33:32:390 3948 wfopen_ex: File opened ok (Flags 2)
18:33:32:390 3948 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 9C4C08
18:33:32:390 3948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:33:32:390 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
18:33:32:390 3948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:33:32:390 3948 wfopen_ex: Trying to KLMD file open
18:33:32:390 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
18:33:32:390 3948 wfopen_ex: File opened ok (Flags 2)
18:33:32:390 3948 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 9C4CB0
18:33:32:390 3948 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
18:33:32:390 3948 CreateRegParser: EnableWow64Redirection error
18:33:32:390 3948 CreateRegParser: RegParser init completed
18:33:32:515 3948 GetAdvancedServicesInfo: Raw services enum returned 308 services
18:33:32:515 3948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:33:32:515 3948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:33:32:515 3948
18:33:32:515 3948 Scanning Kernel memory ...
18:33:32:515 3948 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:33:32:515 3948 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89B87940
18:33:32:531 3948 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
18:33:32:531 3948
18:33:32:531 3948 DetectCureTDL3: DEVICE_OBJECT: 89B50C68
18:33:32:531 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B50C68
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B50C68[0x38]
18:33:32:531 3948 DetectCureTDL3: DRIVER_OBJECT: 89B87940
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B87940[0xA8]
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0xE101CE68[0x18]
18:33:32:531 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:33:32:531 3948 DetectCureTDL3: IrpHandler (0) addr: F763DC30
18:33:32:531 3948 DetectCureTDL3: IrpHandler (1) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (2) addr: F763DC30
18:33:32:531 3948 DetectCureTDL3: IrpHandler (3) addr: F7637D9B
18:33:32:531 3948 DetectCureTDL3: IrpHandler (4) addr: F7637D9B
18:33:32:531 3948 DetectCureTDL3: IrpHandler (5) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (6) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (7) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (8) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (9) addr: F7638366
18:33:32:531 3948 DetectCureTDL3: IrpHandler (10) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (11) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (12) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (13) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (14) addr: F763844D
18:33:32:531 3948 DetectCureTDL3: IrpHandler (15) addr: F763BFC3
18:33:32:531 3948 DetectCureTDL3: IrpHandler (16) addr: F7638366
18:33:32:531 3948 DetectCureTDL3: IrpHandler (17) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (18) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (19) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (20) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (21) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (22) addr: F7639EF3
18:33:32:531 3948 DetectCureTDL3: IrpHandler (23) addr: F763EA24
18:33:32:531 3948 DetectCureTDL3: IrpHandler (24) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (25) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (26) addr: 804FB8DE
18:33:32:531 3948 TDL3_FileDetect: Processing driver: Disk
18:33:32:531 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:531 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:531 3948 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:33:32:531 3948
18:33:32:531 3948 DetectCureTDL3: DEVICE_OBJECT: 89C01C68
18:33:32:531 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89C01C68
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0x89C01C68[0x38]
18:33:32:531 3948 DetectCureTDL3: DRIVER_OBJECT: 89B87940
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B87940[0xA8]
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xE101CE68[0x18]
18:33:32:546 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:33:32:546 3948 DetectCureTDL3: IrpHandler (0) addr: F763DC30
18:33:32:546 3948 DetectCureTDL3: IrpHandler (1) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (2) addr: F763DC30
18:33:32:546 3948 DetectCureTDL3: IrpHandler (3) addr: F7637D9B
18:33:32:546 3948 DetectCureTDL3: IrpHandler (4) addr: F7637D9B
18:33:32:546 3948 DetectCureTDL3: IrpHandler (5) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (6) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (7) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (8) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (9) addr: F7638366
18:33:32:546 3948 DetectCureTDL3: IrpHandler (10) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (11) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (12) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (13) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (14) addr: F763844D
18:33:32:546 3948 DetectCureTDL3: IrpHandler (15) addr: F763BFC3
18:33:32:546 3948 DetectCureTDL3: IrpHandler (16) addr: F7638366
18:33:32:546 3948 DetectCureTDL3: IrpHandler (17) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (18) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (19) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (20) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (21) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (22) addr: F7639EF3
18:33:32:546 3948 DetectCureTDL3: IrpHandler (23) addr: F763EA24
18:33:32:546 3948 DetectCureTDL3: IrpHandler (24) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (25) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (26) addr: 804FB8DE
18:33:32:546 3948 TDL3_FileDetect: Processing driver: Disk
18:33:32:546 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:546 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:546 3948 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:33:32:546 3948
18:33:32:546 3948 DetectCureTDL3: DEVICE_OBJECT: 89B5CAB8
18:33:32:546 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B5CAB8
18:33:32:546 3948 DetectCureTDL3: DEVICE_OBJECT: 89B3DA88
18:33:32:546 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B3DA88
18:33:32:546 3948 DetectCureTDL3: DEVICE_OBJECT: 89B87030
18:33:32:546 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B87030
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B87030[0x38]
18:33:32:546 3948 DetectCureTDL3: DRIVER_OBJECT: 89B3EE48
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3EE48[0xA8]
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xE153A2A0[0x1E]
18:33:32:546 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvidesm, Driver Name: nvidesm
18:33:32:546 3948 DetectCureTDL3: IrpHandler (0) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (1) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (2) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (3) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (4) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (5) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (6) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (7) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (8) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (9) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (10) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (11) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (12) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (13) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (14) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (15) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (16) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (17) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (18) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (19) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (20) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (21) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (22) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (23) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (24) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (25) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (26) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: All IRP handlers pointed to one addr: F771AEF6
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xF771AEF6[0x400]
18:33:32:546 3948 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3E81C[0x4]
18:33:32:546 3948 TDL3_IrpHookDetect: New IrpHandler addr: 89B4D8C8
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B4D8C8[0x400]
18:33:32:546 3948 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
18:33:32:546 3948 Driver "nvidesm" Irp handler infected by TDSS rootkit ... 18:33:32:546 3948 KLMD_WriteMem: Trying to WriteMemory 0x89B4D94E[0xD]
18:33:32:546 3948 cured
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xF748540E[0x400]
18:33:32:546 3948 TDL3_StartIoHookDetect: CheckParameters: 1, F748917C, 0
18:33:32:546 3948 TDL3_FileDetect: Processing driver: nvidesm
18:33:32:546 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\nvidesm.sys
18:33:32:546 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvidesm.sys
18:33:32:625 3948 TDL3_FileDetect: C:\WINDOWS\system32\drivers\nvidesm.sys - Verdict: Infected
18:33:32:625 3948 File C:\WINDOWS\system32\drivers\nvidesm.sys infected by TDSS rootkit ... 18:33:32:625 3948 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\nvidesm.sys
18:33:32:625 3948 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:33:32:625 3948 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
18:33:32:703 3948 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp1.cab
18:33:32:750 3948 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
18:33:32:796 3948 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
18:33:33:265 3948 TDL3_FileCure: Backup copy not found, trying to cure infected file..
18:33:33:265 3948 TDL3_FileCure: Cure success, using it..
18:33:33:265 3948 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk396.tmp
18:33:33:265 3948 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk396.tmp, system32\drivers\nvidesm.sys)
18:33:33:265 3948 TDL3_FileCure: KLMD jobs schedule success
18:33:33:265 3948 will be cured on next reboot
18:33:33:265 3948
18:33:33:265 3948 DetectCureTDL3: DEVICE_OBJECT: 89B5C030
18:33:33:265 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B5C030
18:33:33:265 3948 DetectCureTDL3: DEVICE_OBJECT: 89B3DBA0
18:33:33:265 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B3DBA0
18:33:33:265 3948 DetectCureTDL3: DEVICE_OBJECT: 89B3BA38
18:33:33:265 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B3BA38
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3BA38[0x38]
18:33:33:265 3948 DetectCureTDL3: DRIVER_OBJECT: 89B3EE48
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3EE48[0xA8]
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xE153A2A0[0x1E]
18:33:33:265 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvidesm, Driver Name: nvidesm
18:33:33:265 3948 DetectCureTDL3: IrpHandler (0) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (1) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (2) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (3) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (4) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (5) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (6) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (7) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (8) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (9) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (10) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (11) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (12) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (13) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (14) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (15) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (16) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (17) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (18) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (19) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (20) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (21) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (22) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (23) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (24) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (25) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (26) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: All IRP handlers pointed to one addr: F771AEF6
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xF771AEF6[0x400]
18:33:33:265 3948 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3E81C[0x4]
18:33:33:265 3948 TDL3_IrpHookDetect: New IrpHandler addr: 89B4D8C8
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B4D8C8[0x400]
18:33:33:265 3948 TDL3_IrpHookDetect: TDL3 is already cured
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xF748540E[0x400]
18:33:33:265 3948 TDL3_StartIoHookDetect: CheckParameters: 1, F748917C, 0
18:33:33:265 3948 TDL3_FileDetect: Processing driver: nvidesm
18:33:33:265 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk396.tmp
18:33:33:265 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk396.tmp
18:33:33:265 3948 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk396.tmp - Verdict: Clean
18:33:33:265 3948 UtilityBootReinit: Reboot required for cure complete..
18:33:33:265 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
18:33:33:281 3948 UtilityBootReinit: KLMD drop success
18:33:33:281 3948 KLMD_ApplyPendList: Pending buffer(4A2A_5C1F, 624) dropped successfully
18:33:33:281 3948 UtilityBootReinit: Cure on reboot scheduled successfully
18:33:33:281 3948
18:33:33:281 3948 Completed
18:33:33:281 3948
18:33:33:281 3948 Results:
18:33:33:281 3948 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
18:33:33:281 3948 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:33:33:281 3948 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:33:33:281 3948
18:33:33:281 3948 UnloadDriverW: NtUnloadDriver error 1
18:33:33:281 3948 KLMD_Unload: UnloadDriverW(klmd21) error 1
18:33:33:281 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:33:33:281 3948 UtilityDeinit: KLMD(ARK) unloaded successfully
Make sure you reboot after running TDSSKiller. Drag Combofix to the trash and grab a fresh copy as its updated on a regular basis.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
buddycraigg
2010-02-15, 04:36
hey...
that 's not what you said to do before.
I ran combo fix from the old icon on my desktop.
it said that there was a new version and downloaded it.
here's the log from that scan.
and I'll redo it following the instructions you just posted.
ComboFix 10-02-12.01 - buddy 02/14/2010 20:20:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1727 [GMT -6:00]
Running from: c:\documents and settings\buddy\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.
2010-02-13 23:48 . 2010-02-13 23:48 77312 ----a-w- C:\mbr.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 13:58 2136064 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2015744 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-05 02:00 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:00 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 08:32 . 2010-02-03 08:32 144160 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\uninstall.exe
2010-02-03 08:32 . 2010-02-03 08:32 1436320 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-02-03 08:19 . 2010-02-03 08:19 1956072 ----a-w- c:\documents and settings\buddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-03 03:48 . 2010-02-03 03:48 -------- d-----w- c:\program files\ERUNT
2010-02-03 00:58 . 2010-02-03 00:58 -------- d-----w- c:\program files\Trend Micro
2010-02-01 02:49 . 2010-02-02 03:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-31 02:40 . 2010-01-31 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 14:18 . 2010-02-03 02:51 0 ----a-w- c:\documents and settings\buddy\Local Settings\Application Data\prvlcl.dat
2010-01-28 06:41 . 2010-01-28 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\documents and settings\buddy\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-28 02:58 . 2010-01-28 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\buddy\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-02-05 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 08:22 . 2010-01-27 08:22 -------- d-----w- C:\ComputerRequirementsTemp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 00:34 . 2007-10-20 04:07 20224 ----a-w- c:\windows\system32\drivers\nvidesm.sys
2010-02-03 08:35 . 2008-04-17 23:37 -------- d-----w- c:\documents and settings\buddy\Application Data\Move Networks
2010-02-03 08:32 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-03 03:22 . 2007-10-20 06:14 -------- d-----w- c:\program files\SpywareGuard
2010-02-01 00:59 . 2007-10-20 06:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 07:01 . 2009-04-18 01:00 -------- d-----w- c:\program files\AVG
2010-01-27 08:11 . 2007-10-20 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 07:14 . 2009-03-14 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2002-09-03 20:03 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-10-20 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-09-03 19:35 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2002-09-03 19:57 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2007-10-20 02:20 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2002-09-03 19:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 14:41 . 2002-09-03 19:45 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2002-09-03 19:52 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2002-09-03 19:48 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2002-09-03 19:47 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2002-09-03 19:33 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 16:36 . 2002-09-03 19:32 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-02-09_01.21.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-15 02:13 . 2010-02-15 02:13 16384 c:\windows\Temp\Perflib_Perfdata_1c0.dat
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2002-09-03 19:48 . 2009-11-27 16:37 28672 c:\windows\system32\dllcache\msvidc32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\system32\dllcache\iyuv_32.dll
+ 2009-12-14 07:35 . 2009-12-14 07:35 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-06-10 14:21 . 2009-06-10 14:21 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-06-10 14:21 . 2009-11-27 16:37 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2002-09-03 19:55 . 2009-12-08 08:59 474112 c:\windows\system32\shlwapi.dll
- 2002-09-03 19:55 . 2007-08-22 12:55 474112 c:\windows\system32\shlwapi.dll
+ 2006-08-14 10:34 . 2009-12-31 16:14 352640 c:\windows\system32\dllcache\srv.sys
+ 2007-08-22 13:12 . 2009-12-08 08:59 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2007-08-22 13:12 . 2007-08-22 12:55 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-12-16 12:58 . 2009-12-16 12:58 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\system32\dllcache\mrxsmb.sys
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2007-10-29 22:43 . 2009-11-27 17:33 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2010-02-10 10:08 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:59 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-02-10 10:08 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-03-02 00:57 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-10-20 05:27 . 2010-02-01 19:26 30364104 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-11 198160]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 HCW848NT;Hauppauge Win/TV;c:\windows\system32\drivers\HCW848NT.sys [10/19/2007 10:25 PM 140440]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [10/21/2007 1:28 AM 365460]
S2 gupdate1c97e9c79feed18;Google Update Service (gupdate1c97e9c79feed18);c:\program files\Google\Update\GoogleUpdate.exe [1/24/2009 9:24 PM 133104]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ondemand5.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npjwp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 20:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-14 20:30:41
ComboFix-quarantined-files.txt 2010-02-15 02:30
ComboFix2.txt 2010-02-09 01:25
Pre-Run: 4,071,571,456 bytes free
Post-Run: 4,036,108,288 bytes free
- - End Of File - - 47772846F493495778239AD8E769B899
buddycraigg
2010-02-15, 05:05
ComboFix 10-02-12.01 - buddy 02/14/2010 20:52:40.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1721 [GMT -6:00]
Running from: c:\documents and settings\buddy\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.
2010-02-13 23:48 . 2010-02-13 23:48 77312 ----a-w- C:\mbr.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 13:58 2136064 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2015744 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-05 02:00 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:00 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 08:32 . 2010-02-03 08:32 144160 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\uninstall.exe
2010-02-03 08:32 . 2010-02-03 08:32 1436320 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-02-03 08:19 . 2010-02-03 08:19 1956072 ----a-w- c:\documents and settings\buddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-03 03:48 . 2010-02-03 03:48 -------- d-----w- c:\program files\ERUNT
2010-02-03 00:58 . 2010-02-03 00:58 -------- d-----w- c:\program files\Trend Micro
2010-02-01 02:49 . 2010-02-02 03:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-31 02:40 . 2010-01-31 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 14:18 . 2010-02-03 02:51 0 ----a-w- c:\documents and settings\buddy\Local Settings\Application Data\prvlcl.dat
2010-01-28 06:41 . 2010-01-28 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\documents and settings\buddy\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-28 02:58 . 2010-01-28 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\buddy\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-02-05 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 08:22 . 2010-01-27 08:22 -------- d-----w- C:\ComputerRequirementsTemp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 00:34 . 2007-10-20 04:07 20224 ----a-w- c:\windows\system32\drivers\nvidesm.sys
2010-02-03 08:35 . 2008-04-17 23:37 -------- d-----w- c:\documents and settings\buddy\Application Data\Move Networks
2010-02-03 08:32 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-03 03:22 . 2007-10-20 06:14 -------- d-----w- c:\program files\SpywareGuard
2010-02-01 00:59 . 2007-10-20 06:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 07:01 . 2009-04-18 01:00 -------- d-----w- c:\program files\AVG
2010-01-27 08:11 . 2007-10-20 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 07:14 . 2009-03-14 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2002-09-03 20:03 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-10-20 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-09-03 19:35 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2002-09-03 19:57 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2007-10-20 02:20 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2002-09-03 19:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 14:41 . 2002-09-03 19:45 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2002-09-03 19:52 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2002-09-03 19:48 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2002-09-03 19:47 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2002-09-03 19:33 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 16:36 . 2002-09-03 19:32 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-02-09_01.21.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-15 02:47 . 2010-02-15 02:47 16384 c:\windows\Temp\Perflib_Perfdata_1b8.dat
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2002-09-03 19:48 . 2009-11-27 16:37 28672 c:\windows\system32\dllcache\msvidc32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\system32\dllcache\iyuv_32.dll
+ 2009-12-14 07:35 . 2009-12-14 07:35 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-06-10 14:21 . 2009-06-10 14:21 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-06-10 14:21 . 2009-11-27 16:37 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2002-09-03 19:55 . 2009-12-08 08:59 474112 c:\windows\system32\shlwapi.dll
- 2002-09-03 19:55 . 2007-08-22 12:55 474112 c:\windows\system32\shlwapi.dll
+ 2006-08-14 10:34 . 2009-12-31 16:14 352640 c:\windows\system32\dllcache\srv.sys
+ 2007-08-22 13:12 . 2009-12-08 08:59 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2007-08-22 13:12 . 2007-08-22 12:55 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-12-16 12:58 . 2009-12-16 12:58 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\system32\dllcache\mrxsmb.sys
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2007-10-29 22:43 . 2009-11-27 17:33 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2010-02-10 10:08 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:59 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-02-10 10:08 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-03-02 00:57 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-10-20 05:27 . 2010-02-01 19:26 30364104 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-11 198160]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 HCW848NT;Hauppauge Win/TV;c:\windows\system32\drivers\HCW848NT.sys [10/19/2007 10:25 PM 140440]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [10/21/2007 1:28 AM 365460]
S2 gupdate1c97e9c79feed18;Google Update Service (gupdate1c97e9c79feed18);c:\program files\Google\Update\GoogleUpdate.exe [1/24/2009 9:24 PM 133104]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ondemand5.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npjwp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 20:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-14 21:01:45
ComboFix-quarantined-files.txt 2010-02-15 03:01
ComboFix2.txt 2010-02-09 01:25
Pre-Run: 4,039,999,488 bytes free
Post-Run: 3,996,803,072 bytes free
- - End Of File - - FF10CDD83C982F5C9FE3FC30C441E06F
.
.
.
.
.
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:16 PM, on 2/14/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ondemand5.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O23 - Service: Google Update Service (gupdate1c97e9c79feed18) (gupdate1c97e9c79feed18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5355 bytes
Hi,
I edited my post after I posted because I just wanted to make sure you had the latest version of Combofix, no harm done
What happened here is a Rootkit type of infection infected your NVIDIA graphic driver and it looks like TDSSKiller fixed it. This Rootkit was also responsible for blue screening your computer so it would not start, it was not the fault of the windows update. This has just come to lite, PAWS that helped you at WhattheTech informed me that he has fixed a dozen or so computers on account of this and further investigation has found that the rootkit was responsible.
How are things running now ?
buddycraigg
2010-02-16, 07:02
I think I am good.
But maybe you should leave this thread open for a week and close it if I don't report back again.
I am a little peeved that I had AVG and spybot running and nothing stopped it.
I must give spybot S&D some credit though, I knew something happened because of all of the "access blocked" windows that popped up in the lower right corner of the screen.
Thanks for the help.
please don't take offense, but I hope I don't see you for a long time.
Buddy Craigg
buddycraigg
2010-02-16, 07:03
shouldn't there be a donation link at the bottom of the page?
Good Morning Buddy,
I will leave this open for you for a week, if you have problems in the future and this is closed, just start a new topic.
Thanks for your offer of a donation, the link is up on the top right of this page, any donation big or small just goes to help keep us online.
No offense takin :) This garbage is not fun and getting harder and harder to clean as time goes on.
Buddy, there is no one silver bullet to prevent all this garbage from installing but I am going to link you to some free tools to install that will all help. Every little bit helps. One thing is your operating system is outdated as is your Internet Explorer browser, updating them is part of the security plan. Open IE and go to Tools > Windows Updates and download and install all critical updates including Service Pack 3 and Internet Explorer 8
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 18, if not proceed with the instructions.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
Java SE Runtime Environment (JRE)JRE 6 Update 18 <--The wording is confusing but this is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
Malwarebytes is the free version and yours to keep, update it and run a scan once a week or so
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
buddycraigg
2010-02-16, 11:41
sorry to ask.
I don't use IE unless i have to look up something for my car forum.
shouldn't i
errr
how do i, update my firefox?
I only use IE myself when I need it, I am a Firefox junkie
Open Firefox and go to Help > Check for Updates. The latest version is 3.6
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.