PDA

View Full Version : Browser redirect problem



derekfz
2010-02-07, 22:39
Two nights ago, I did a routine Spybot update + scan and a Malwarebytes update + scan. MB found nothing at the time, but Spybot found two or three different things when I then had it delete. I didn't expect that either would find anything, ordinarily everything comes out 100% clean. Well, I'm experiencing a problem now that I wasn't experiencing before I did the scans. What happens is when using Firefox (I haven't tried this in IE because as a rule I pretty much never use it unless I "have" to for some reason), if I search Google for something, typically the first time I click on a result, it will redirect me to some other page and I have to go back and do it again. Before posting this, I did a Spybot scan and a MB scan and neither found anything, but I'm still having this problem.

HJT log below. Thanks for any assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:26 PM, on 2/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1207218324\ee\AOLSoftware.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\DeltaIITray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Derek\Desktop\Maintainance\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080314
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1207218324\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "Derek"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "Derek"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://96.230.136.179:82/plugin/h263ctrl.cab
O16 - DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} (Invoke Solutions Compatibility Test Control) - http://online.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://online.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9519 bytes

Blade81
2010-02-12, 17:25
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

derekfz
2010-02-13, 23:00
Thanks for your assistance. First, here is the DDS log.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Derek at 15:54:50.10 on Sat 02/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.649 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100213-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1207218324\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\DeltaIITray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Derek\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Washer] c:\program files\washer\washer.exe /0
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HostManager] c:\program files\common files\aol\1207218324\ee\AOLSoftware.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [VOBID] c:\program files\pinnacle\instantcddvd\instantdrive\InstantDrive.exe /remount
mRun: [IW ControlCenter] c:\program files\pinnacle\instantcddvd\instantwrite\iwctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\derek\startm~1\programs\startup\regist~1.lnk - c:\program files\pinnacle\instantcddvd\sharedfiles\pixie\RegTool.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - hxxp://96.230.136.179:82/plugin/h263ctrl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://online.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\derek\applic~1\mozilla\firefox\profiles\r5jfuce4.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\derek\application data\mozilla\firefox\profiles\r5jfuce4.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\derek\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\derek\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-5-7 26679]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-7 114768]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-5-27 187392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-7 138680]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-7 352920]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2009-9-7 302728]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\drivers\tpcdrdrv.sys --> c:\windows\system32\drivers\tpcdrdrv.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-7 254040]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\ptdmbus.sys --> c:\windows\system32\drivers\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\ptdmmdm.sys --> c:\windows\system32\drivers\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\ptdmvsp.sys --> c:\windows\system32\drivers\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\ptdmwwan.sys --> c:\windows\system32\drivers\PTDMWWAN.sys [?]

=============== Created Last 30 ================

2010-03-02 21:43:41 0 d-----w- c:\program files\RAR Password Recovery Magic
2010-02-07 16:24:29 0 d-----w- c:\program files\Zappabase
2010-01-24 19:27:52 0 d-----w- c:\program files\Ant Renamer
2010-01-23 02:24:18 0 d-----w- c:\program files\RAR Password Cracker

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 15:55:45.82 ===============

Second, attached is the Attach log generated by DDS (attach.zip)

Third, the log generated by GMER.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-13 15:59:17
Windows 5.1.2600 Service Pack 3
Running: y7vwywn4.exe; Driver: C:\DOCUME~1\Derek\LOCALS~1\Temp\kxtoapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Blade81
2010-02-14, 00:27
Hello,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

After that:

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

derekfz
2010-02-15, 06:17
I have encountered a problem in performing the next step of this process. I uninstalled uTorrent without issue, disabled Spybot's Teatimer, disabled Avast anti-virus and downloaded ComboFix.exe. However, when I double-clicked the ComboFix icon and it went to install/run the program, my computer froze up each time before the installation could begin. I attempted to run ComboFix.exe three or four times, each time with the same result, the computer froze and I had to restart. I can provide you with another DDS log, however, I can't get ComboFix to run and I'm not sure how to make it run without having this problem. Any further assistance you can provide on this issue would be much appreciated.

derekfz
2010-02-15, 13:00
A few hours ago, I double clicked ComboFix.exe. and just walked away and left the computer alone to see if it would ever just start running on its own. At some point, I came back and it was ready to scan (it was at least an hour to and hour and a half before it loaded up, as I recall.) Hence, please disregard the previous post.

Ok, here's the ComboFix log:

ComboFix 10-02-12.01 - Derek 02/15/2010 5:35.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1590 [GMT -5:00]
Running from: c:\documents and settings\Derek\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100214-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\ModemLog_PANTECH USB Modem .txt

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-03-02 21:43 . 2010-03-02 21:43 -------- d-----w- c:\program files\RAR Password Recovery Magic
2010-02-11 01:02 . 2009-08-05 00:44 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-11 01:02 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-11 01:02 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-11 01:02 . 2009-08-04 14:20 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 01:02 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-11 01:02 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-07 16:24 . 2010-02-07 16:28 -------- d-----w- c:\program files\Zappabase
2010-01-27 10:07 . 2010-01-27 10:07 61440 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3565cb56-n\decora-sse.dll
2010-01-27 10:07 . 2010-01-27 10:07 503808 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\msvcp71.dll
2010-01-27 10:07 . 2010-01-27 10:07 499712 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\jmc.dll
2010-01-27 10:07 . 2010-01-27 10:07 348160 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\msvcr71.dll
2010-01-27 10:07 . 2010-01-27 10:07 12800 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3565cb56-n\decora-d3d.dll
2010-01-24 19:27 . 2010-01-24 19:27 -------- d-----w- c:\program files\Ant Renamer
2010-01-23 05:39 . 2010-01-23 05:39 267328 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-23 02:24 . 2010-01-23 02:24 -------- d-----w- c:\program files\RAR Password Cracker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 03:29 . 2009-07-31 20:29 -------- d-----w- c:\program files\uTorrent
2010-02-15 03:29 . 2009-07-31 20:29 -------- d-----w- c:\documents and settings\Derek\Application Data\uTorrent
2010-02-15 03:05 . 2008-03-21 07:04 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-13 10:42 . 2009-12-05 10:35 -------- d-----w- c:\program files\Everything
2010-02-13 03:46 . 2009-05-26 22:10 -------- d-----w- c:\documents and settings\Derek\Application Data\TeraCopy
2010-02-12 02:04 . 2008-03-21 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 03:27 . 2009-06-02 02:27 -------- d-----w- c:\documents and settings\Derek\Application Data\foobar2000
2010-02-09 04:10 . 2009-11-21 02:27 -------- d-----w- c:\documents and settings\Derek\Application Data\vlc
2010-02-07 05:01 . 2008-08-08 18:57 -------- d-----w- c:\program files\Washer
2010-02-07 02:14 . 2008-03-19 20:38 70879 ----a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\ctem.sys
2010-01-29 03:02 . 2009-06-15 09:45 -------- d-----w- c:\documents and settings\Derek\Application Data\Apple Computer
2010-01-29 03:01 . 2010-01-09 21:48 -------- d-----w- c:\program files\iPod
2010-01-27 10:07 . 2008-03-14 16:06 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 10:07 . 2008-03-14 16:06 -------- d-----w- c:\program files\Java
2010-01-24 02:14 . 2008-08-30 04:03 17 ----a-w- c:\windows\popcinfo.dat
2010-01-23 16:55 . 2009-12-15 03:30 -------- d-----w- c:\documents and settings\Derek\Application Data\FileZilla
2010-01-23 15:05 . 2009-12-17 00:28 -------- d-----w- c:\program files\Freecorder
2010-01-23 15:05 . 2008-07-28 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2010-01-23 15:05 . 2008-07-26 22:13 -------- d-----w- c:\program files\AIM
2010-01-23 15:05 . 2008-03-29 03:50 -------- d-----w- c:\program files\ABC
2010-01-23 15:05 . 2008-03-19 20:37 -------- d-----w- c:\program files\America Online 9.0
2010-01-23 15:05 . 2008-03-14 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-16 05:20 . 2009-06-20 22:42 63944 ----a-w- c:\documents and settings\other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 23:35 . 2008-10-08 18:27 -------- d-----w- c:\documents and settings\Derek\Application Data\NCH Swift Sound
2010-01-13 23:35 . 2009-07-07 18:47 -------- d-----w- c:\documents and settings\other\Application Data\NCH Swift Sound
2010-01-13 23:35 . 2008-10-08 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-01-12 17:25 . 2008-03-21 02:29 -------- d-----w- c:\program files\Semagic
2010-01-11 20:40 . 2008-11-26 04:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 20:40 . 2008-12-18 15:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 20:38 . 2008-03-19 20:14 63944 ----a-w- c:\documents and settings\Derek\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-11 11:10 . 2010-01-11 11:10 -------- d-----w- c:\program files\MSBuild
2010-01-11 11:10 . 2010-01-11 11:10 -------- d-----w- c:\program files\Reference Assemblies
2010-01-10 19:29 . 2009-04-25 00:19 -------- d-----w- c:\documents and settings\Derek\Application Data\IObit
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_6FEFF9B68218417F98F549.exe
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_2964C3DE7E291AF3F2353D.exe
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_21F3885A18D238E15AAE81.exe
2010-01-10 17:09 . 2010-01-10 17:09 25214 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_6459EB3CC1021F99697573.exe
2010-01-10 17:09 . 2010-01-10 17:09 25214 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_4D456665B6A1916105928F.exe
2010-01-10 17:09 . 2010-01-10 17:09 1078 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_0044238C9C33EE6AE43EBB.exe
2010-01-10 17:09 . 2010-01-10 17:09 -------- d-----w- c:\program files\iTunes Library Updater
2010-01-10 01:41 . 2008-04-23 00:05 368 -c--a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2010-01-10 01:41 . 2010-01-10 01:41 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2010-01-10 01:41 . 2010-01-09 21:47 -------- d-----w- c:\program files\iTunes
2010-01-09 21:48 . 2010-01-09 21:26 -------- d-----w- c:\program files\Common Files\Apple
2010-01-09 21:29 . 2010-01-09 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-09 21:28 . 2009-12-23 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-09 21:28 . 2009-12-22 03:00 -------- d-----w- c:\program files\Bonjour
2010-01-09 21:27 . 2010-01-09 21:27 -------- d-----w- c:\program files\QuickTime
2010-01-07 21:07 . 2008-11-26 04:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-26 04:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 00:31 . 2010-01-06 00:31 -------- d-----w- c:\program files\LG Electronics
2010-01-06 00:31 . 2008-03-14 16:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-05 23:10 . 2008-03-19 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-01-05 22:53 . 2009-04-25 00:18 -------- d-----w- c:\program files\IObit
2009-12-31 16:50 . 2004-08-10 18:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 03:54 . 2008-04-16 22:26 -------- d-----w- c:\program files\DivX
2009-12-28 03:53 . 2009-06-29 01:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-27 18:50 . 2009-09-13 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-27 17:03 . 2009-12-27 17:03 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-26 04:07 . 2009-12-26 04:07 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-23 04:24 . 2009-12-23 04:24 -------- d-----w- c:\program files\Apple Software Update
2009-12-23 04:24 . 2009-12-22 20:37 -------- d-----w- c:\program files\QuickTime(2)
2009-12-23 04:21 . 2009-12-23 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2008-11-29 23:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-10 18:51 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\Derek\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-29 23:13 . 2009-11-29 23:12 9904720 ----a-w- c:\documents and settings\Derek\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.820.0-static-A.exe
2009-11-27 17:11 . 2004-08-10 18:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-24 23:54 . 2009-05-07 20:10 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-05-07 20:10 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-05-07 20:10 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-05-07 20:10 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-05-07 20:10 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-05-07 20:10 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-05-07 20:10 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-05-07 20:10 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-05-07 20:10 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-11-09 23:38 2331672 ----a-w- c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HostManager"="c:\program files\Common Files\AOL\1207218324\ee\AOLSoftware.exe" [2008-06-24 41824]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-05-28 394240]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"VOBID"="c:\program files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe" [2003-03-31 147968]
"IW ControlCenter"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-03-12 836096]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"DeltaIITaskbarApp"="c:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-11-11 6373376]

c:\documents and settings\Derek\Start Menu\Programs\Startup\
Registration-INSDVD.lnk - c:\program files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-9-26 245760]

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Registration-INSDVD.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2003-08-01 15:31 61440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-17 01:45 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\WINDOWS\\wanmpsvc.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Documents and Settings\\Derek\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Derek\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 3:36 PM 26679]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/7/2009 3:10 PM 114768]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 10:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 11:12 AM 187392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/7/2009 3:10 PM 20560]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 5:33 PM 64000]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [9/7/2009 12:39 PM 302728]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\DRIVERS\tpcdrdrv.sys --> c:\windows\system32\DRIVERS\tpcdrdrv.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys --> c:\windows\system32\DRIVERS\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys --> c:\windows\system32\DRIVERS\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys --> c:\windows\system32\DRIVERS\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys --> c:\windows\system32\DRIVERS\PTDMWWAN.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3582648933-3922854667-3177133079-1006Core.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 19:27]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3582648933-3922854667-3177133079-1006UA.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 19:27]

2010-02-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]

2010-02-15 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]

2010-02-14 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]

2010-02-15 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-12-30 18:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://online.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
FF - ProfilePath - c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\r5jfuce4.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\r5jfuce4.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\Derek\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 05:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A8AD8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9e55b3a
\Driver\iaStor -> iaStor.sys @ 0xb9e9e918
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) 82562V-2 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d17bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d24a21
SendHandler -> NDIS.sys @ 0xb9d0287b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3582648933-3922854667-3177133079-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C1F72394-1F6A-9C26-4548-88AB4CA70591}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oapimenoijcpkahkcdddgbnfholmbn"=hex:64,61,70,63,6c,67,6f,6b,00,70
"oaljdoegpbegjikmphdlandbakhfnp"=hex:6a,61,61,64,6f,66,6f,6f,6b,62,6f,63,6b,63,
6a,6a,6b,65,6a,69,00,fd
"najkkipinflplploajkcgdaajfhd"=hex:6a,61,61,64,6f,66,6f,6f,6b,62,6f,63,6b,63,
6a,6a,6b,65,6a,69,00,fd
.
Completion time: 2010-02-15 05:46:03
ComboFix-quarantined-files.txt 2010-02-15 10:46

Pre-Run: 16,531,329,024 bytes free
Post-Run: 16,577,875,968 bytes free

- - End Of File - - ADF4CB189FAF9501E9B3BF7030B80E15


==

Under the second section of the ComboFix log, I noticed it reads:

2010-02-15 03:29 . 2009-07-31 20:29 -------- d-----w- c:\program files\uTorrent
2010-02-15 03:29 . 2009-07-31 20:29 -------- d-----w- c:\documents and settings\Derek\Application Data\uTorrent

Now, I did uninstall the program, the exe is gone (there's still a shortcut to the program in the launch toolbar, but it won't run because the exe doesn't exist.) I'm assuming because I just did a simple install from the add/remove programs panel in Control Panel that it didn't remove these folder, but the program itself can't be run.

==

DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Derek at 5:48:33.39 on Mon 02/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1545 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100214-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1207218324\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\system32\DeltaIITray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Derek\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HostManager] c:\program files\common files\aol\1207218324\ee\AOLSoftware.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [VOBID] c:\program files\pinnacle\instantcddvd\instantdrive\InstantDrive.exe /remount
mRun: [IW ControlCenter] c:\program files\pinnacle\instantcddvd\instantwrite\iwctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\derek\startm~1\programs\startup\regist~1.lnk - c:\program files\pinnacle\instantcddvd\sharedfiles\pixie\RegTool.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - hxxp://96.230.136.179:82/plugin/h263ctrl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://online.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\derek\applic~1\mozilla\firefox\profiles\r5jfuce4.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\derek\application data\mozilla\firefox\profiles\r5jfuce4.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-5-7 26679]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-7 114768]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-5-27 187392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-7 138680]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2009-9-7 302728]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\drivers\tpcdrdrv.sys --> c:\windows\system32\drivers\tpcdrdrv.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-7 352920]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\ptdmbus.sys --> c:\windows\system32\drivers\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\ptdmmdm.sys --> c:\windows\system32\drivers\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\ptdmvsp.sys --> c:\windows\system32\drivers\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\ptdmwwan.sys --> c:\windows\system32\drivers\PTDMWWAN.sys [?]

=============== Created Last 30 ================

2010-03-02 21:43:41 0 d-----w- c:\program files\RAR Password Recovery Magic
2010-02-15 10:33:37 98816 ----a-w- c:\windows\sed.exe
2010-02-15 10:33:37 77312 ----a-w- c:\windows\MBR.exe
2010-02-15 10:33:37 261632 ----a-w- c:\windows\PEV.exe
2010-02-15 10:33:37 161792 ----a-w- c:\windows\SWREG.exe
2010-02-07 16:24:29 0 d-----w- c:\program files\Zappabase
2010-01-24 19:27:52 0 d-----w- c:\program files\Ant Renamer
2010-01-23 02:24:18 0 d-----w- c:\program files\RAR Password Cracker

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 5:48:56.46 ===============

You didn't specifically request the Attach log from DDS, so I'm not posting it, but if you require it, please let me know and I will attach it to the next reply.

Blade81
2010-02-15, 17:00
Hi,

I assume you have Windows recovery console installed since ComboFix didn't show any installing need.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd system32\drivers

6. At the next prompt, type the following bolded text, and press Enter:

copy atapi.sys atapi.sys.vir

7. At the next prompt, type the following bolded text, and press Enter:
copy iaStor.sys iaStor.sys.vir

8. At the next prompt, type the following bolded text, and press Enter:
exit

When Windows returns back to normal mode upload following files to http://www.virustotal.com and post back the results:
c:\windows\system32\drivers\atapi.sys.vir
c:\windows\system32\drivers\iaStor.sys.vir

derekfz
2010-02-16, 03:32
Yes, I already had Windows Recovery Console installed. I executed the commands without a problem.

Here are the results from virustotal.com. I'm assuming it's Ok to just post the URLs here, but if you need me to post (copy & paste) the entire report that it generated, please let me know.

Report for atapi.sys.vir : http://www.virustotal.com/analisis/00f2455aad772a9c3ebb2fc05f8c504da2a8483a4d24ba8d2ab333d74552329f-1266283416

Report for iaStor.sys.vir : http://www.virustotal.com/analisis/c22f10bade29da6f7eb79d9f5d81d9fbec17d4d4f8b25e0af4e5ceae28e8abf6-1266283637

Blade81
2010-02-16, 16:05
Thanks for the results :)

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
atapi.sys


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

derekfz
2010-02-17, 03:12
Here's the result from the SystemLook scan:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:07 on 16/02/2010 by Derek (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95872 bytes [15:50 14/03/2008] [08:02 28/08/2006] 40CAACE7F2E7668148A1D45CF91E1131
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95872 bytes [11:35 03/10/2008] [03:02 28/08/2006] 40CAACE7F2E7668148A1D45CF91E1131
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [10:44 15/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [16:43 20/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [04:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--c 95872 bytes [15:54 14/03/2008] [03:02 28/08/2006] 40CAACE7F2E7668148A1D45CF91E1131
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--c 95872 bytes [15:54 14/03/2008] [03:02 28/08/2006] 40CAACE7F2E7668148A1D45CF91E1131

-=End Of File=-

Blade81
2010-02-17, 17:20
Hi,

Click start->run->type cmd.exe and enter. In command prompt window type following command:

copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\windows\system32\drivers\atapi.sys.bak

You should get "1 file(s) copied." as output message.


Then we need to use recovery console again so print/save these instructions first.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd system32\drivers

6. At the next prompt, type the following bolded text, and press Enter (agree overwriting):

copy atapi.sys.bak atapi.sys

7. At the next prompt, type the following bolded text, and press Enter:
exit

When Windows returns back to normal mode, disable antivirus protection and run ComboFix. Post back its report.

derekfz
2010-02-18, 03:11
One note: in Recovery Console, when I typed "copy atapi.sys.bak atapi.sys", it asked if I wanted to overwrite atapi.sys, for which I chose yes, and the message 1 file(s) copied followed. I'm assuming this was the right thing to do. This eventuality wasn't mentioned in your message. If I made a mistake in doing this, please let me know.

Here is the newest ComboFix log. Incidentally, it started up and ran without a problem this time, although the first time I tried to run it, it gave me this messge: 'NIRCMDC' is not recognized as an internal or external command, operable program or batch file. After it displayed that message, I closed the window, double-clicked ComboFix again and it ran fine. Anyway, here is the log.

ComboFix 10-02-12.01 - Derek 02/17/2010 19:54:11.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1556 [GMT -5:00]
Running from: c:\documents and settings\Derek\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100217-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-03-02 21:43 . 2010-03-02 21:43 -------- d-----w- c:\program files\RAR Password Recovery Magic
2010-02-18 00:45 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-11 01:02 . 2009-08-05 00:44 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-11 01:02 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-11 01:02 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-11 01:02 . 2009-08-04 14:20 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 01:02 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-11 01:02 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-07 16:24 . 2010-02-07 16:28 -------- d-----w- c:\program files\Zappabase
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\Derek\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-27 10:07 . 2010-01-27 10:07 61440 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3565cb56-n\decora-sse.dll
2010-01-27 10:07 . 2010-01-27 10:07 503808 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\msvcp71.dll
2010-01-27 10:07 . 2010-01-27 10:07 499712 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\jmc.dll
2010-01-27 10:07 . 2010-01-27 10:07 348160 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\msvcr71.dll
2010-01-27 10:07 . 2010-01-27 10:07 12800 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3565cb56-n\decora-d3d.dll
2010-01-24 19:27 . 2010-01-24 19:27 -------- d-----w- c:\program files\Ant Renamer
2010-01-23 05:39 . 2010-01-23 05:39 267328 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-23 02:24 . 2010-01-23 02:24 -------- d-----w- c:\program files\RAR Password Cracker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 00:52 . 2008-03-21 07:04 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-17 03:02 . 2009-05-26 22:10 -------- d-----w- c:\documents and settings\Derek\Application Data\TeraCopy
2010-02-15 03:29 . 2009-07-31 20:29 -------- d-----w- c:\program files\uTorrent
2010-02-15 03:29 . 2009-07-31 20:29 -------- d-----w- c:\documents and settings\Derek\Application Data\uTorrent
2010-02-13 10:42 . 2009-12-05 10:35 -------- d-----w- c:\program files\Everything
2010-02-12 02:04 . 2008-03-21 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 03:27 . 2009-06-02 02:27 -------- d-----w- c:\documents and settings\Derek\Application Data\foobar2000
2010-02-09 04:10 . 2009-11-21 02:27 -------- d-----w- c:\documents and settings\Derek\Application Data\vlc
2010-02-07 05:01 . 2008-08-08 18:57 -------- d-----w- c:\program files\Washer
2010-02-07 02:14 . 2008-03-19 20:38 70879 ----a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\ctem.sys
2010-01-29 03:02 . 2009-06-15 09:45 -------- d-----w- c:\documents and settings\Derek\Application Data\Apple Computer
2010-01-29 03:01 . 2010-01-09 21:48 -------- d-----w- c:\program files\iPod
2010-01-27 10:07 . 2008-03-14 16:06 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 10:07 . 2008-03-14 16:06 -------- d-----w- c:\program files\Java
2010-01-24 02:14 . 2008-08-30 04:03 17 ----a-w- c:\windows\popcinfo.dat
2010-01-23 16:55 . 2009-12-15 03:30 -------- d-----w- c:\documents and settings\Derek\Application Data\FileZilla
2010-01-23 15:05 . 2009-12-17 00:28 -------- d-----w- c:\program files\Freecorder
2010-01-23 15:05 . 2008-07-28 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2010-01-23 15:05 . 2008-07-26 22:13 -------- d-----w- c:\program files\AIM
2010-01-23 15:05 . 2008-03-29 03:50 -------- d-----w- c:\program files\ABC
2010-01-23 15:05 . 2008-03-19 20:37 -------- d-----w- c:\program files\America Online 9.0
2010-01-23 15:05 . 2008-03-14 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-16 05:20 . 2009-06-20 22:42 63944 ----a-w- c:\documents and settings\other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 23:35 . 2008-10-08 18:27 -------- d-----w- c:\documents and settings\Derek\Application Data\NCH Swift Sound
2010-01-13 23:35 . 2009-07-07 18:47 -------- d-----w- c:\documents and settings\other\Application Data\NCH Swift Sound
2010-01-13 23:35 . 2008-10-08 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-01-12 17:25 . 2008-03-21 02:29 -------- d-----w- c:\program files\Semagic
2010-01-11 20:40 . 2008-11-26 04:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 20:40 . 2008-12-18 15:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 20:38 . 2008-03-19 20:14 63944 ----a-w- c:\documents and settings\Derek\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-11 11:10 . 2010-01-11 11:10 -------- d-----w- c:\program files\MSBuild
2010-01-11 11:10 . 2010-01-11 11:10 -------- d-----w- c:\program files\Reference Assemblies
2010-01-10 19:29 . 2009-04-25 00:19 -------- d-----w- c:\documents and settings\Derek\Application Data\IObit
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_6FEFF9B68218417F98F549.exe
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_2964C3DE7E291AF3F2353D.exe
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_21F3885A18D238E15AAE81.exe
2010-01-10 17:09 . 2010-01-10 17:09 25214 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_6459EB3CC1021F99697573.exe
2010-01-10 17:09 . 2010-01-10 17:09 25214 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_4D456665B6A1916105928F.exe
2010-01-10 17:09 . 2010-01-10 17:09 1078 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_0044238C9C33EE6AE43EBB.exe
2010-01-10 17:09 . 2010-01-10 17:09 -------- d-----w- c:\program files\iTunes Library Updater
2010-01-10 01:41 . 2008-04-23 00:05 368 -c--a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2010-01-10 01:41 . 2010-01-10 01:41 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2010-01-10 01:41 . 2010-01-09 21:47 -------- d-----w- c:\program files\iTunes
2010-01-09 21:48 . 2010-01-09 21:26 -------- d-----w- c:\program files\Common Files\Apple
2010-01-09 21:29 . 2010-01-09 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-09 21:28 . 2009-12-23 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-09 21:28 . 2009-12-22 03:00 -------- d-----w- c:\program files\Bonjour
2010-01-09 21:27 . 2010-01-09 21:27 -------- d-----w- c:\program files\QuickTime
2010-01-07 21:07 . 2008-11-26 04:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-26 04:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 00:31 . 2010-01-06 00:31 -------- d-----w- c:\program files\LG Electronics
2010-01-06 00:31 . 2008-03-14 16:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-05 23:10 . 2008-03-19 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-01-05 22:53 . 2009-04-25 00:18 -------- d-----w- c:\program files\IObit
2009-12-31 16:50 . 2004-08-10 18:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 03:54 . 2008-04-16 22:26 -------- d-----w- c:\program files\DivX
2009-12-28 03:53 . 2009-06-29 01:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-27 18:50 . 2009-09-13 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-27 17:03 . 2009-12-27 17:03 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-26 04:07 . 2009-12-26 04:07 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-23 04:24 . 2009-12-23 04:24 -------- d-----w- c:\program files\Apple Software Update
2009-12-23 04:24 . 2009-12-22 20:37 -------- d-----w- c:\program files\QuickTime(2)
2009-12-23 04:21 . 2009-12-23 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2008-11-29 23:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-10 18:51 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-29 23:13 . 2009-11-29 23:12 9904720 ----a-w- c:\documents and settings\Derek\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.820.0-static-A.exe
2009-11-27 17:11 . 2004-08-10 18:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-24 23:54 . 2009-05-07 20:10 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-05-07 20:10 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-05-07 20:10 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-05-07 20:10 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-05-07 20:10 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-05-07 20:10 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-05-07 20:10 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-05-07 20:10 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-05-07 20:10 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-15_10.43.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-18 00:49 . 2010-02-18 00:49 16384 c:\windows\Temp\Perflib_Perfdata_7b8.dat
- 2010-02-15 04:20 . 2010-02-15 04:20 16384 c:\windows\Temp\Perflib_Perfdata_7b8.dat
+ 2010-02-18 00:49 . 2010-02-18 00:49 16384 c:\windows\Temp\Perflib_Perfdata_590.dat
+ 2010-02-17 23:21 . 2010-02-17 23:21 301568 c:\windows\Installer\9df8f4a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-11-09 23:38 2331672 ----a-w- c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HostManager"="c:\program files\Common Files\AOL\1207218324\ee\AOLSoftware.exe" [2008-06-24 41824]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-05-28 394240]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"VOBID"="c:\program files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe" [2003-03-31 147968]
"IW ControlCenter"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-03-12 836096]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"DeltaIITaskbarApp"="c:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-11-11 6373376]

c:\documents and settings\Derek\Start Menu\Programs\Startup\
Registration-INSDVD.lnk - c:\program files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-9-26 245760]

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Registration-INSDVD.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2003-08-01 15:31 61440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-17 01:45 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\WINDOWS\\wanmpsvc.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Documents and Settings\\Derek\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Derek\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 3:36 PM 26679]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/7/2009 3:10 PM 114768]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 10:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 11:12 AM 187392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/7/2009 3:10 PM 20560]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 5:33 PM 64000]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [9/7/2009 12:39 PM 302728]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\DRIVERS\tpcdrdrv.sys --> c:\windows\system32\DRIVERS\tpcdrdrv.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys --> c:\windows\system32\DRIVERS\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys --> c:\windows\system32\DRIVERS\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys --> c:\windows\system32\DRIVERS\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys --> c:\windows\system32\DRIVERS\PTDMWWAN.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3582648933-3922854667-3177133079-1006Core.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 19:27]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3582648933-3922854667-3177133079-1006UA.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 19:27]

2010-02-18 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]

2010-02-18 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]

2010-02-14 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://online.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
FF - ProfilePath - c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\r5jfuce4.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\r5jfuce4.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\Derek\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 20:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3582648933-3922854667-3177133079-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C1F72394-1F6A-9C26-4548-88AB4CA70591}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oapimenoijcpkahkcdddgbnfholmbn"=hex:64,61,70,63,6c,67,6f,6b,00,70
"oaljdoegpbegjikmphdlandbakhfnp"=hex:6a,61,61,64,6f,66,6f,6f,6b,62,6f,63,6b,63,
6a,6a,6b,65,6a,69,00,fd
"najkkipinflplploajkcgdaajfhd"=hex:6a,61,61,64,6f,66,6f,6f,6b,62,6f,63,6b,63,
6a,6a,6b,65,6a,69,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
Completion time: 2010-02-17 20:05:25
ComboFix-quarantined-files.txt 2010-02-18 01:05
ComboFix2.txt 2010-02-15 10:59

Pre-Run: 16,465,408,000 bytes free
Post-Run: 16,441,724,928 bytes free

- - End Of File - - 3566D70DFF54CEFCCBA5A11B8A7CDAE1

Blade81
2010-02-18, 16:09
Hi,


One note: in Recovery Console, when I typed "copy atapi.sys.bak atapi.sys", it asked if I wanted to overwrite atapi.sys, for which I chose yes, and the message 1 file(s) copied followed. I'm assuming this was the right thing to do. This eventuality wasn't mentioned in your message. If I made a mistake in doing this, please let me know.
That was correct action to take. I did mention this: "6. At the next prompt, type the following bolded text, and press Enter (agree overwriting)" :)


Open notepad and copy/paste the text in the quotebox below into it:



http://forums.spybot.info/showthread.php?p=360195#post360195
Collect::
c:\windows\system32\drivers\atapi.sys.vir
Folder::
c:\program files\uTorrent
c:\documents and settings\Derek\Application Data\uTorrent
Regnull::
[HKEY_USERS\S-1-5-21-3582648933-3922854667-3177133079-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C1F72394-1F6A-9C26-4548-88AB4CA70591}*]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows, disable protection software and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Uninstall these vulnerable Javas:
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7


Download ATF (Atribune Temp File) Cleanerİ by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

derekfz
2010-02-19, 12:44
Thanks for your assistance. Ok, here we go.

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, February 19, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, February 19, 2010 02:56:45
Records in database: 3557863
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\

Scan statistics:
Objects scanned: 106887
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:31:35


File name / Threat / Threats count
C:\Qoobox\Quarantine\[4]-Submit_2010-02-18_20.26.03.zip Infected: Rootkit.Win32.TDSS.u 1

Selected area has been scanned.




new DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Derek at 5:28:35.50 on Fri 02/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1254 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100218-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1207218324\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\DeltaIITray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Derek\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Washer] c:\program files\washer\washer.exe /0
uRunOnce: [washindex] c:\program files\washer\washidx.exe "Derek"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HostManager] c:\program files\common files\aol\1207218324\ee\AOLSoftware.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [VOBID] c:\program files\pinnacle\instantcddvd\instantdrive\InstantDrive.exe /remount
mRun: [IW ControlCenter] c:\program files\pinnacle\instantcddvd\instantwrite\iwctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [washindex] c:\program files\washer\washidx.exe "Derek"
StartupFolder: c:\docume~1\derek\startm~1\programs\startup\regist~1.lnk - c:\program files\pinnacle\instantcddvd\sharedfiles\pixie\RegTool.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - hxxp://96.230.136.179:82/plugin/h263ctrl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://online.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\derek\applic~1\mozilla\firefox\profiles\r5jfuce4.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\derek\application data\mozilla\firefox\profiles\r5jfuce4.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\derek\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\derek\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-5-7 26679]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-7 114768]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-5-27 187392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-7 138680]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2009-9-7 302728]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\drivers\tpcdrdrv.sys --> c:\windows\system32\drivers\tpcdrdrv.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-7 352920]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\ptdmbus.sys --> c:\windows\system32\drivers\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\ptdmmdm.sys --> c:\windows\system32\drivers\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\ptdmvsp.sys --> c:\windows\system32\drivers\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\ptdmwwan.sys --> c:\windows\system32\drivers\PTDMWWAN.sys [?]

=============== Created Last 30 ================

2010-03-02 21:43:41 0 d-----w- c:\program files\RAR Password Recovery Magic
2010-02-18 00:45:07 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.bak
2010-02-18 00:45:07 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-15 10:33:37 98816 ----a-w- c:\windows\sed.exe
2010-02-15 10:33:37 77312 ----a-w- c:\windows\MBR.exe
2010-02-15 10:33:37 261632 ----a-w- c:\windows\PEV.exe
2010-02-15 10:33:37 161792 ----a-w- c:\windows\SWREG.exe
2010-02-07 16:24:29 0 d-----w- c:\program files\Zappabase
2010-01-24 19:27:52 0 d-----w- c:\program files\Ant Renamer
2010-01-23 02:24:18 0 d-----w- c:\program files\RAR Password Cracker

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 5:29:09.50 ===============




ComboFix log after running CFScript:

ComboFix 10-02-12.01 - Derek 02/18/2010 20:26:08.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1423 [GMT -5:00]
Running from: c:\documents and settings\Derek\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Derek\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100218-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\drivers\atapi.sys.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Derek\Application Data\uTorrent
c:\documents and settings\Derek\Application Data\uTorrent\dht.dat
c:\documents and settings\Derek\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Derek\Application Data\uTorrent\resume.dat
c:\documents and settings\Derek\Application Data\uTorrent\resume.dat.1.bad
c:\documents and settings\Derek\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Derek\Application Data\uTorrent\rss.dat
c:\documents and settings\Derek\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Derek\Application Data\uTorrent\settings.dat
c:\documents and settings\Derek\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Derek\Application Data\uTorrent\utorrent-help.zip
c:\documents and settings\Derek\Application Data\uTorrent\utorrent.chm
c:\documents and settings\Derek\Application Data\uTorrent\utorrent.lng
c:\program files\uTorrent
c:\windows\system32\drivers\atapi.sys.vir

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-03-02 21:43 . 2010-03-02 21:43 -------- d-----w- c:\program files\RAR Password Recovery Magic
2010-02-19 00:52 . 2009-08-25 06:30 13312 ----a-w- c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\r5jfuce4.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
2010-02-18 00:45 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-11 01:02 . 2009-08-05 00:44 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-11 01:02 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-11 01:02 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-11 01:02 . 2009-08-04 14:20 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 01:02 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-11 01:02 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-07 16:24 . 2010-02-07 16:28 -------- d-----w- c:\program files\Zappabase
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\Derek\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-27 10:07 . 2010-01-27 10:07 61440 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3565cb56-n\decora-sse.dll
2010-01-27 10:07 . 2010-01-27 10:07 503808 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\msvcp71.dll
2010-01-27 10:07 . 2010-01-27 10:07 499712 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\jmc.dll
2010-01-27 10:07 . 2010-01-27 10:07 348160 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-229aab6e-n\msvcr71.dll
2010-01-27 10:07 . 2010-01-27 10:07 12800 ----a-w- c:\documents and settings\Derek\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3565cb56-n\decora-d3d.dll
2010-01-24 19:27 . 2010-01-24 19:27 -------- d-----w- c:\program files\Ant Renamer
2010-01-23 05:39 . 2010-01-23 05:39 267328 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-23 02:24 . 2010-01-23 02:24 -------- d-----w- c:\program files\RAR Password Cracker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 01:21 . 2009-05-26 22:10 -------- d-----w- c:\documents and settings\Derek\Application Data\TeraCopy
2010-02-19 01:16 . 2008-03-21 07:04 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-18 03:00 . 2009-11-21 02:27 -------- d-----w- c:\documents and settings\Derek\Application Data\vlc
2010-02-18 02:30 . 2008-03-29 03:50 -------- d-----w- c:\program files\ABC
2010-02-13 10:42 . 2009-12-05 10:35 -------- d-----w- c:\program files\Everything
2010-02-12 02:04 . 2008-03-21 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 03:27 . 2009-06-02 02:27 -------- d-----w- c:\documents and settings\Derek\Application Data\foobar2000
2010-02-07 05:01 . 2008-08-08 18:57 -------- d-----w- c:\program files\Washer
2010-02-07 02:14 . 2008-03-19 20:38 70879 ----a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\ctem.sys
2010-01-29 03:02 . 2009-06-15 09:45 -------- d-----w- c:\documents and settings\Derek\Application Data\Apple Computer
2010-01-29 03:01 . 2010-01-09 21:48 -------- d-----w- c:\program files\iPod
2010-01-27 10:07 . 2008-03-14 16:06 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 10:07 . 2008-03-14 16:06 -------- d-----w- c:\program files\Java
2010-01-24 02:14 . 2008-08-30 04:03 17 ----a-w- c:\windows\popcinfo.dat
2010-01-23 16:55 . 2009-12-15 03:30 -------- d-----w- c:\documents and settings\Derek\Application Data\FileZilla
2010-01-23 15:05 . 2009-12-17 00:28 -------- d-----w- c:\program files\Freecorder
2010-01-23 15:05 . 2008-07-28 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2010-01-23 15:05 . 2008-07-26 22:13 -------- d-----w- c:\program files\AIM
2010-01-23 15:05 . 2008-03-19 20:37 -------- d-----w- c:\program files\America Online 9.0
2010-01-23 15:05 . 2008-03-14 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-16 05:20 . 2009-06-20 22:42 63944 ----a-w- c:\documents and settings\other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 23:35 . 2008-10-08 18:27 -------- d-----w- c:\documents and settings\Derek\Application Data\NCH Swift Sound
2010-01-13 23:35 . 2009-07-07 18:47 -------- d-----w- c:\documents and settings\other\Application Data\NCH Swift Sound
2010-01-13 23:35 . 2008-10-08 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-01-12 17:25 . 2008-03-21 02:29 -------- d-----w- c:\program files\Semagic
2010-01-11 20:40 . 2008-11-26 04:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 20:40 . 2008-12-18 15:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 20:38 . 2008-03-19 20:14 63944 ----a-w- c:\documents and settings\Derek\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-11 11:10 . 2010-01-11 11:10 -------- d-----w- c:\program files\MSBuild
2010-01-11 11:10 . 2010-01-11 11:10 -------- d-----w- c:\program files\Reference Assemblies
2010-01-10 19:29 . 2009-04-25 00:19 -------- d-----w- c:\documents and settings\Derek\Application Data\IObit
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_6FEFF9B68218417F98F549.exe
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_2964C3DE7E291AF3F2353D.exe
2010-01-10 17:09 . 2010-01-10 17:09 31702 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_21F3885A18D238E15AAE81.exe
2010-01-10 17:09 . 2010-01-10 17:09 25214 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_6459EB3CC1021F99697573.exe
2010-01-10 17:09 . 2010-01-10 17:09 25214 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_4D456665B6A1916105928F.exe
2010-01-10 17:09 . 2010-01-10 17:09 1078 ----a-r- c:\documents and settings\Derek\Application Data\Microsoft\Installer\{38EE230F-F631-451F-8800-E29F5E5C9E7D}\_0044238C9C33EE6AE43EBB.exe
2010-01-10 17:09 . 2010-01-10 17:09 -------- d-----w- c:\program files\iTunes Library Updater
2010-01-10 01:41 . 2008-04-23 00:05 368 -c--a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2010-01-10 01:41 . 2010-01-10 01:41 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2010-01-10 01:41 . 2010-01-09 21:47 -------- d-----w- c:\program files\iTunes
2010-01-09 21:48 . 2010-01-09 21:26 -------- d-----w- c:\program files\Common Files\Apple
2010-01-09 21:29 . 2010-01-09 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-09 21:28 . 2009-12-23 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-09 21:28 . 2009-12-22 03:00 -------- d-----w- c:\program files\Bonjour
2010-01-09 21:27 . 2010-01-09 21:27 -------- d-----w- c:\program files\QuickTime
2010-01-07 21:07 . 2008-11-26 04:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-26 04:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 00:31 . 2010-01-06 00:31 -------- d-----w- c:\program files\LG Electronics
2010-01-06 00:31 . 2008-03-14 16:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-05 23:10 . 2008-03-19 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-01-05 22:53 . 2009-04-25 00:18 -------- d-----w- c:\program files\IObit
2009-12-31 16:50 . 2004-08-10 18:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 03:54 . 2008-04-16 22:26 -------- d-----w- c:\program files\DivX
2009-12-28 03:53 . 2009-06-29 01:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-27 18:50 . 2009-09-13 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-27 17:03 . 2009-12-27 17:03 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-26 04:07 . 2009-12-26 04:07 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-23 04:24 . 2009-12-23 04:24 -------- d-----w- c:\program files\Apple Software Update
2009-12-23 04:24 . 2009-12-22 20:37 -------- d-----w- c:\program files\QuickTime(2)
2009-12-23 04:21 . 2009-12-23 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2008-11-29 23:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-10 18:51 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-29 23:13 . 2009-11-29 23:12 9904720 ----a-w- c:\documents and settings\Derek\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.820.0-static-A.exe
2009-11-27 17:11 . 2004-08-10 18:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-24 23:54 . 2009-05-07 20:10 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-05-07 20:10 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-05-07 20:10 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-05-07 20:10 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-05-07 20:10 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-05-07 20:10 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-05-07 20:10 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-05-07 20:10 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-05-07 20:10 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-15_10.43.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-18 00:49 . 2010-02-18 00:49 16384 c:\windows\Temp\Perflib_Perfdata_7b8.dat
- 2010-02-15 04:20 . 2010-02-15 04:20 16384 c:\windows\Temp\Perflib_Perfdata_7b8.dat
+ 2010-02-18 00:49 . 2010-02-18 00:49 16384 c:\windows\Temp\Perflib_Perfdata_590.dat
+ 2010-02-17 23:21 . 2010-02-17 23:21 301568 c:\windows\Installer\9df8f4a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-11-09 23:38 2331672 ----a-w- c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HostManager"="c:\program files\Common Files\AOL\1207218324\ee\AOLSoftware.exe" [2008-06-24 41824]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-05-28 394240]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"VOBID"="c:\program files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe" [2003-03-31 147968]
"IW ControlCenter"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-03-12 836096]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"DeltaIITaskbarApp"="c:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\Derek\Start Menu\Programs\Startup\
Registration-INSDVD.lnk - c:\program files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-9-26 245760]

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Registration-INSDVD.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2003-08-01 15:31 61440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-17 01:45 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\WINDOWS\\wanmpsvc.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Documents and Settings\\Derek\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Derek\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 3:36 PM 26679]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/7/2009 3:10 PM 114768]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 10:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 11:12 AM 187392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/7/2009 3:10 PM 20560]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 5:33 PM 64000]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [9/7/2009 12:39 PM 302728]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\DRIVERS\tpcdrdrv.sys --> c:\windows\system32\DRIVERS\tpcdrdrv.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys --> c:\windows\system32\DRIVERS\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys --> c:\windows\system32\DRIVERS\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys --> c:\windows\system32\DRIVERS\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys --> c:\windows\system32\DRIVERS\PTDMWWAN.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3582648933-3922854667-3177133079-1006Core.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 19:27]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3582648933-3922854667-3177133079-1006UA.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 19:27]

2010-02-18 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]

2010-02-18 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]

2010-02-14 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-11-22 23:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://online.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
FF - ProfilePath - c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\r5jfuce4.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\r5jfuce4.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\Derek\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-18 20:35:27
ComboFix-quarantined-files.txt 2010-02-19 01:35
ComboFix2.txt 2010-02-18 01:05
ComboFix3.txt 2010-02-15 10:59

Pre-Run: 16,397,578,240 bytes free
Post-Run: 16,395,448,320 bytes free

- - End Of File - - C1AC12CB7FF353EA51E2E0D2423B80FA
Upload was successful


Flash is up to date in both IE and Firefox and I deleted the following older, vulnerable Java installations (using Revo Uninstaller to fully remove them):
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7

Hope I didn't miss anything, time permitting had me doing part of this last night and the rest this morning.

Blade81
2010-02-19, 17:47
Hi,

That looks quite good. How's the system running now?

derekfz
2010-02-20, 03:14
The Google search redirect problem seems to be gone (I tried it in IE as well as Firefox, not that I really ever use the former) and there doesn't seem to be any other obvious problems.

I see the file "atapi.sys" is present on my hard drive 6 times, including in ServicePackFiles\i386 and system32\drivers. I'm assuming this a safe, legitimate file. But I also see that "atapi.sys.bak" is there in system32\drivers, as well. Should I assume this is Ok, too?

Anything else I should do or delete before we're all done?

Blade81
2010-02-20, 12:07
Hi,


I see the file "atapi.sys" is present on my hard drive 6 times, including in ServicePackFiles\i386 and system32\drivers. I'm assuming this a safe, legitimate file. But I also see that "atapi.sys.bak" is there in system32\drivers, as well. Should I assume this is Ok, too?
Yes, those remaining ones are ok. We copied atapi.sys.bak file there earlier. It's a fresh backup and so better leave it there.

Let's see the final steps next :)

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK



Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

derekfz
2010-02-20, 19:07
I completed all of the following this morning--

Reset and re-enabled System Restore
Uninstalled ComboFix
Ran OTC
Windows update (I was a little worried about this because something corrupt in the previous Windows update inflicted this PC with a problem that I had to pay for a tech support phone call to fix, oy vey. But there was no problem this time.)
Ran Secunia vulnerability check and upgraded to the very newest version of Flash, removing the older version.

Your specified security settings for IE were already in place.

I'm still not having the Google redirect issue, so we're good there. Everything appears to be clean and running smooth. :bigthumb:

Blade81
2010-02-20, 19:27
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.