View Full Version : Still hijacking after using restore point
I got infected couple of days ago. Quickly tried to scan and repair by Malwarebyte's. Although it showed all fixed but Firefox till got hijacked and programmes couldn't update themselves. I used system restore to restore the pc for earlier time. It worked in some way as I could update programmes but firefox still gets hijacked from google search links. Attached: present Hijack log and Malwarebyte's log before I restored the pc:
---------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:15:06, on 05/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
D:\Peter\Trojaiellenes\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
--
End of file - 6792 bytes
-----------------------------------------------------------------
-------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3954
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
04/04/2010 21:20:36
mbam-log-2010-04-04 (21-20-36).txt
Scan type: Quick scan
Objects scanned: 103488
Time elapsed: 4 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63147e94-70d9-468c-bbb5-5ac2f7d6929f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63147e94-70d9-468c-bbb5-5ac2f7d6929f}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0b04f4f-a430-4282-a50a-5fd9a25a3d36}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Zsolt\AppData\Local\Temp\PrintBrmUia.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\000039e6.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\00007ac9.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Zsolt\Local Settings\Temporary Internet Files\udRemove.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
--------------------------------------------------------------------------
---------------------------------------------------------------------
Thanks for your help,cobo
Hello and :welcome: to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
Download and run OTL
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) by Old Timer and save it to your Desktop.
Double click on OTL.exe to run it.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extras.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.
Thanks peku006
Thanks for helping Peku006. Here are the requested logs:
OTL logfile created on: 07/04/2010 10:37:33 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = D:\Peter\Trojaiellenes
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 59.57 Gb Total Space | 41.90 Gb Free Space | 70.32% Space Free | Partition Type: NTFS
Drive D: | 168.32 Gb Total Space | 75.63 Gb Free Space | 44.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 298.09 Gb Total Space | 132.61 Gb Free Space | 44.49% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: PC
Current User Name: Zsolt
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Processes (SafeList) ==========
PRC - D:\Peter\Trojaiellenes\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe (Adobe Systems Incorporated)
PRC - c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Windows\System32\atieclxx.exe (AMD)
PRC - C:\Windows\System32\atiesrxx.exe (AMD)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe (Hewlett-Packard Development Co. L.P.)
PRC - C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
========== Modules (SafeList) ==========
MOD - D:\Peter\Trojaiellenes\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (McAfee SiteAdvisor Service) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
========== Driver Services (SafeList) ==========
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\Windows\System32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\Windows\System32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService) -- C:\Windows\System32\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV - (MPFP) -- C:\Windows\System32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\system32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (FETNDIS) -- C:\Windows\System32\drivers\fetnd6.sys (VIA Technologies, Inc. )
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\Windows\System32\drivers\RTKVAC.SYS (Realtek Semiconductor Corp.)
DRV - (hwdatacard) -- C:\Windows\System32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (W8100PCI) -- C:\Windows\System32\drivers\mrv8k51.sys (Marvell Semiconductor, Inc)
DRV - (nvmpu401) Service for NVIDIA(R) nForce(TM) -- C:\Windows\System32\drivers\nvmpu401.sys (NVIDIA Corporation)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.7
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.2
FF - prefs.js..extensions.enabledItems: ramback@pavlov.net:1.0
FF - prefs.js..extensions.enabledItems: silvermelxt@pardal.de:1.3.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: {069FB356-C69F-7349-D092-AB28AF882F01}:0.2.104
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/18 20:23:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/03/01 20:07:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/07 00:20:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/07 00:20:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/07 00:20:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
[2009/12/12 19:51:47 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Extensions
[2009/12/12 19:51:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/04/06 20:46:20 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions
[2010/02/14 00:15:53 | 000,000,000 | ---D | M] (Phoenity Classic) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{069FB356-C69F-7349-D092-AB28AF882F01}
[2009/10/26 14:02:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/17 19:46:20 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/11/03 21:12:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/03/18 19:19:24 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\personas@christopher.beard
[2009/10/26 14:02:27 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\ramback@pavlov.net
[2009/11/03 14:51:39 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\silvermelxt@pardal.de
[2010/02/17 20:29:45 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\toolbar@alot.com
[2010/04/01 16:40:16 | 000,002,141 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\bing---images.xml
[2010/04/01 16:40:17 | 000,002,216 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\flickr.xml
[2008/11/25 16:07:42 | 000,002,088 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\hmv-search.xml
[2008/06/21 10:35:50 | 000,000,908 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\imdb.xml
[2010/04/01 16:40:17 | 000,002,005 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\longman.xml
[2010/04/01 16:40:17 | 000,001,617 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\magyar-helyesrs.xml
[2010/04/01 16:40:15 | 000,002,641 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\pic-search.xml
[2010/04/01 16:40:16 | 000,002,119 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\porthu.xml
[2010/04/01 16:40:17 | 000,002,307 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\rotten-tomatoes.xml
[2008/08/10 18:32:28 | 000,001,541 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\sztaki-eng-dict.xml
[2008/05/23 15:43:28 | 000,001,110 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\the-pirate-bay.xml
[2010/04/01 16:40:17 | 000,000,967 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\torrentz.xml
[2008/11/11 00:38:26 | 000,001,332 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\wikipedia---magyar.xml
[2008/06/21 10:35:50 | 000,001,108 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\wikipedia-en.xml
[2010/04/01 16:40:17 | 000,002,087 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\youtube---videos.xml
[2010/02/17 21:10:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/06 20:36:06 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/04/06 20:36:06 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/06 20:36:06 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/06 20:36:06 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001..\Run: [ISUSPM] C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{396de571-0449-11df-a7e0-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{396de571-0449-11df-a7e0-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{396de573-0449-11df-a7e0-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{396de573-0449-11df-a7e0-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{8968d1c0-166c-11df-8026-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{8968d1c0-166c-11df-8026-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{8968d1c2-166c-11df-8026-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{8968d1c2-166c-11df-8026-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{f4545633-ff9b-11de-8c51-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{f4545633-ff9b-11de-8c51-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{f4545639-ff9b-11de-8c51-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{f4545639-ff9b-11de-8c51-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/04/07 00:24:07 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Local\Apple Computer
[2010/04/07 00:23:09 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/07 00:19:31 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/07 00:17:55 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/04/07 00:17:50 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Local\Apple
[2010/04/06 22:01:53 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Local\Adobe
[2010/04/05 23:19:44 | 000,000,000 | ---D | C] -- C:\rsit
[2010/04/05 22:10:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/05 21:06:46 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/04/05 21:06:46 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/04/05 21:06:46 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/04/05 20:55:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/05 20:55:34 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/05 15:03:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/04 21:50:23 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/04/04 21:03:28 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/04 18:32:58 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Roaming\Malwarebytes
[2010/04/04 18:32:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/04 18:32:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/03 21:52:35 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/04/03 19:41:00 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/04/02 21:22:58 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2010/04/02 21:14:46 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Roaming\BitTorrent
[2010/04/01 20:50:13 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player
[2010/04/01 20:50:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/01 20:46:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/04/01 18:56:40 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/17 21:53:42 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
========== Files - Modified Within 30 Days ==========
[2010/04/07 10:43:10 | 001,835,008 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat
[2010/04/07 10:36:17 | 000,013,232 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 10:36:17 | 000,013,232 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 10:36:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001UA.job
[2010/04/07 10:33:26 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/07 10:33:26 | 000,619,206 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/07 10:33:26 | 000,107,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/07 10:30:03 | 000,014,332 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/04/07 10:28:46 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/07 10:28:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/07 10:28:27 | 1610,260,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/07 01:43:41 | 001,891,888 | -H-- | M] () -- C:\Users\Zsolt\AppData\Local\IconCache.db
[2010/04/07 00:23:54 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/07 00:20:14 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/05 22:11:02 | 000,239,338 | ---- | M] () -- C:\Users\Public\Documents\cc_20100405_221051.reg
[2010/04/05 22:10:09 | 000,001,831 | ---- | M] () -- C:\Users\Zsolt\Desktop\CCleaner.lnk
[2010/04/05 21:02:18 | 000,524,288 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000002.regtrans-ms
[2010/04/05 21:02:18 | 000,524,288 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000001.regtrans-ms
[2010/04/05 21:02:18 | 000,065,536 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TM.blf
[2010/04/05 20:33:29 | 000,000,803 | ---- | M] () -- C:\Users\Public\Desktop\Opera.lnk
[2010/04/05 20:30:01 | 000,002,245 | ---- | M] () -- C:\Users\Zsolt\Desktop\Google Chrome.lnk
[2010/04/05 20:18:35 | 000,108,352 | ---- | M] () -- C:\Users\Zsolt\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/04 18:01:05 | 000,000,036 | ---- | M] () -- C:\Users\Zsolt\AppData\Local\housecall.guid.cache
[2010/04/01 20:24:17 | 000,011,159 | ---- | M] () -- C:\Users\Public\Documents\newTVandSurround.xlsx
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/18 14:36:00 | 000,000,854 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001Core.job
[2010/03/17 21:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2010/03/11 18:59:34 | 011,698,379 | ---- | M] () -- C:\Users\Public\Documents\samsung le40b650.pdf
[2010/03/11 02:09:59 | 000,393,543 | ---- | M] () -- C:\Users\Public\Documents\bookmarks.html
========== Files Created - No Company Name ==========
[2010/04/07 00:23:54 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/07 00:20:14 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/05 22:10:59 | 000,239,338 | ---- | C] () -- C:\Users\Public\Documents\cc_20100405_221051.reg
[2010/04/05 22:10:09 | 000,001,831 | ---- | C] () -- C:\Users\Zsolt\Desktop\CCleaner.lnk
[2010/04/05 20:18:03 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000002.regtrans-ms
[2010/04/05 20:18:03 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000001.regtrans-ms
[2010/04/05 20:18:02 | 000,065,536 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TM.blf
[2010/04/04 18:01:05 | 000,000,036 | ---- | C] () -- C:\Users\Zsolt\AppData\Local\housecall.guid.cache
[2010/03/17 21:57:06 | 000,011,159 | ---- | C] () -- C:\Users\Public\Documents\newTVandSurround.xlsx
[2010/03/11 18:59:34 | 011,698,379 | ---- | C] () -- C:\Users\Public\Documents\samsung le40b650.pdf
[2010/03/11 02:09:59 | 000,393,543 | ---- | C] () -- C:\Users\Public\Documents\bookmarks.html
[2009/11/25 20:03:51 | 000,002,242 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/11/04 19:46:50 | 000,006,656 | ---- | C] () -- C:\Users\Zsolt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/26 20:17:53 | 000,007,611 | ---- | C] () -- C:\Users\Zsolt\AppData\Local\Resmon.ResmonCfg
[2009/10/25 23:40:25 | 001,835,008 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat
[2009/10/25 23:40:25 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/10/25 23:40:25 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/10/25 23:40:25 | 000,262,144 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat.LOG1
[2009/10/25 23:40:25 | 000,065,536 | -HS- | C] () -- C:\Users\Zsolt\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/10/25 23:40:25 | 000,000,020 | -HS- | C] () -- C:\Users\Zsolt\ntuser.ini
[2009/10/25 23:40:25 | 000,000,000 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat.LOG2
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/04/14 08:43:32 | 000,154,144 | ---- | C] () -- C:\Windows\System32\RTLCPAPI.dll
[2004/08/13 10:56:20 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
< End of report >
********************************************************
OTL Extras logfile created on: 07/04/2010 10:37:33 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = D:\Peter\Trojaiellenes
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 59.57 Gb Total Space | 41.90 Gb Free Space | 70.32% Space Free | Partition Type: NTFS
Drive D: | 168.32 Gb Total Space | 75.63 Gb Free Space | 44.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 298.09 Gb Total Space | 132.61 Gb Free Space | 44.49% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: PC
Current User Name: Zsolt
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05ADEEC8-BD58-43D9-A9E3-1F53B0DA117A}" = Opera 10.51
"{07B739FD-DD3E-5060-6DF2-1D0A6448C192}" = Catalyst Control Center Graphics Full Existing
"{0EF5BEA9-B9D3-46d7-8958-FB69A0BAEACC}" = Status
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{101C938A-B723-97FB-A065-EDFD782E5978}" = Catalyst Control Center Graphics Light
"{17016DA1-F040-4032-BD36-34DD317BC9D5}" = HP Photosmart All-In-One Driver Software 13.0 Rel. A
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1EC71BFB-01A3-4239-B6AF-B1AE656B15C0}" = TrayApp
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2A7EF808-14F3-4E93-BE3A-1675EE5332A4}" = AIO_CDA_ProductContext
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2FF8C687-DB7D-4adc-A5DC-57983EC25046}" = DeviceDiscovery
"{36787A11-7848-3C1C-17E3-667A9FFB0E9C}" = Catalyst Control Center Core Implementation
"{3C92B2E6-380D-4fef-B4DF-4A3B4B669771}" = Copy
"{4037A2B9-A976-4538-8B08-A0D95B637F35}" = C5100
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{440B915A-0C85-45DB-92AE-75AE14704A64}" = Fax
"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4DFAEE3E-3489-5236-9028-1A5B9B359CD0}" = Catalyst Control Center Graphics Full New
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5FE82A80-8985-082F-9B61-7EEDB1FCB461}" = ccc-core-static
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75247E38-5C9B-45D6-ADF8-E11CB56B4990}" = Network
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78610B4D-3157-9EA6-905E-64F144EC1E30}" = Catalyst Control Center Graphics Previews Common
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{96FF1134-84D4-8E51-0C1D-1798C6EED45E}" = Catalyst Control Center Graphics Previews Vista
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{99D3379A-4741-FC40-5E63-E47DD31560D2}" = CCC Help English
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{A0F66FCA-8206-9034-9B67-D1F50DA2DDAC}" = Catalyst Control Center HydraVision Full
"{A5436728-2DFD-4221-B4D7-F49F740134C9}" = c5100_Help
"{A548C254-03BB-22F8-1064-899487B3CF85}" = Catalyst Control Center InstallProxy
"{A7AEE29F-839E-46B5-B347-6D430618129F}" = AIO_CDA_Software
"{AB06254A-9A28-F8AD-236E-FB5C3108FE85}" = ATI Catalyst Install Manager
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Professional
"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
"{D86B0E2E-DF9A-441C-AF77-8D1A0FF00FA6}" = AIO_Scan
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F6124436-F906-7B89-7009-50BB8CD7CA93}" = ccc-utility
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"CCleaner" = CCleaner
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Photosmart Essential" = HP Photosmart Essential 3.5
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"HPOCR" = OCR Software by I.R.I.S. 13.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"MSC" = McAfee SecurityCenter
"Shop for HP Supplies" = Shop for HP Supplies
"The KMPlayer" = The KMPlayer (remove only)
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Analog Clock" = Analog Clock
"Calendar Clock" = Calendar Clock
"Google Chrome" = Google Chrome
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 05/04/2010 15:18:11 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7
Error - 05/04/2010 15:21:12 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7
Error - 05/04/2010 15:21:13 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7
Error - 05/04/2010 15:23:10 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7
Error - 05/04/2010 15:23:10 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7
Error - 05/04/2010 15:23:45 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7
Error - 05/04/2010 15:23:45 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7
Error - 05/04/2010 15:28:10 | Computer Name = PC | Source = Windows Backup | ID = 4103
Description =
Error - 05/04/2010 16:13:03 | Computer Name = PC | Source = Windows Backup | ID = 4103
Description =
Error - 05/04/2010 16:13:27 | Computer Name = PC | Source = Windows Backup | ID = 4103
Description =
[ Media Center Events ]
Error - 20/01/2010 04:27:24 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 08:27:16 - Error connecting to the internet. 08:27:16 - Unable
to contact server..
Error - 23/01/2010 11:02:20 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 15:02:19 - Error connecting to the internet. 15:02:19 - Unable
to contact server..
Error - 23/01/2010 11:02:28 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 15:02:25 - Error connecting to the internet. 15:02:25 - Unable
to contact server..
Error - 23/01/2010 15:55:04 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 19:55:02 - Failed to retrieve Broadband (Error: The remote name could
not be resolved: 'data.tvdownload.microsoft.com')
Error - 24/01/2010 06:57:42 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:57:42 - Error connecting to the internet. 10:57:42 - Unable
to contact server..
Error - 24/01/2010 06:57:52 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:57:47 - Error connecting to the internet. 10:57:47 - Unable
to contact server..
Error - 30/01/2010 06:11:13 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:11:13 - Error connecting to the internet. 10:11:13 - Unable
to contact server..
Error - 30/01/2010 06:11:22 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:11:18 - Error connecting to the internet. 10:11:18 - Unable
to contact server..
Error - 30/01/2010 08:01:13 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 12:01:13 - Error connecting to the internet. 12:01:13 - Unable
to contact server..
Error - 30/01/2010 08:01:21 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 12:01:18 - Error connecting to the internet. 12:01:18 - Unable
to contact server..
[ System Events ]
Error - 05/04/2010 17:09:16 | Computer Name = PC | Source = DCOM | ID = 10005
Description =
Error - 05/04/2010 17:09:16 | Computer Name = PC | Source = DCOM | ID = 10005
Description =
Error - 05/04/2010 17:16:45 | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The iPod Service service terminated with the following error: %%-2147417831
Error - 05/04/2010 17:17:13 | Computer Name = PC | Source = DCOM | ID = 10010
Description =
Error - 06/04/2010 18:32:46 | Computer Name = PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.
Error - 06/04/2010 19:00:27 | Computer Name = PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the lmhosts service.
Error - 06/04/2010 19:16:55 | Computer Name = PC | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.
Error - 06/04/2010 19:17:26 | Computer Name = PC | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.
Error - 06/04/2010 19:18:26 | Computer Name = PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Apple Mobile Device service,
but this action failed with the following error: %%1056
Error - 06/04/2010 20:44:21 | Computer Name = PC | Source = DCOM | ID = 10010
Description =
< End of report >
Hi cobo
1 - Download and Run ComboFix
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.
2 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
Thanks peku006
Thanks for the reply.
Strange thing happened, when I came home from work and switched on the computer, after the Win 7 welcome message there was only a black screen and a cursor and nothing else. I could retrieve the Windows Task Manager and figured out that the explorer.exe wasn't running at all and couldn't get it run (no access). I managed to open firefox, download combofix and run it, which helped a lot, at one point it even displayed that 'System file infected: explorer.exe' and managed to reinstate it. So Windows 7 and the desktop is back after running combofix but strangely the google redirections (and slower net sometimes) still exist.
Here is the combofix log:
ComboFix 10-04-06.05 - Zsolt 07/04/2010 22:55:01.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2048.1380 [GMT 1:00]
Running from: c:\users\Zsolt\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://www.bing.com
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.
2010-04-07 22:01 . 2010-04-07 22:04 -------- d-----w- c:\users\Zsolt\AppData\Local\temp
2010-04-07 22:01 . 2010-04-07 22:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-07 09:38 . 2009-10-31 06:00 2614272 ----a-w- c:\windows\explorer.exe
2010-04-06 23:24 . 2010-04-06 23:24 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple Computer
2010-04-06 23:23 . 2010-04-06 23:23 -------- d-----w- c:\program files\iPod
2010-04-06 23:19 . 2010-04-06 23:20 -------- d-----w- c:\program files\QuickTime
2010-04-06 23:17 . 2010-04-06 23:17 -------- d-----w- c:\program files\Apple Software Update
2010-04-06 23:17 . 2010-04-06 23:17 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple
2010-04-06 21:01 . 2010-04-07 09:32 -------- d-----w- c:\users\Zsolt\AppData\Local\Adobe
2010-04-05 22:19 . 2010-04-05 22:19 -------- d-----w- C:\rsit
2010-04-05 21:10 . 2010-04-05 21:10 -------- d-----w- c:\program files\CCleaner
2010-04-05 20:06 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-04-05 19:55 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 19:55 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 14:03 . 2010-04-05 14:03 -------- d-----w- c:\program files\ESET
2010-04-04 20:03 . 2010-04-04 20:03 -------- d-----w- c:\program files\Trend Micro
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Malwarebytes
2010-04-04 17:32 . 2010-04-05 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\programdata\Malwarebytes
2010-04-03 20:52 . 2010-04-05 18:16 -------- d-----w- c:\program files\Unlocker
2010-04-03 18:41 . 2010-04-03 18:41 -------- d-----w- c:\windows\Sun
2010-04-02 20:22 . 2010-04-05 18:16 -------- d-----w- c:\program files\7-Zip
2010-04-02 20:14 . 2010-04-05 18:16 -------- d-----w- c:\users\Zsolt\AppData\Roaming\BitTorrent
2010-04-01 19:50 . 2010-04-05 18:16 -------- d-----w- c:\program files\Adobe Media Player
2010-04-01 19:50 . 2010-04-01 19:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-01 19:46 . 2010-04-01 19:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-01 17:56 . 2010-04-01 17:57 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-26 00:48 . 2010-03-26 00:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 22:04 . 2009-12-03 21:16 117760 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 23:23 . 2010-02-12 16:43 -------- d-----w- c:\program files\iTunes
2010-04-06 23:23 . 2009-10-26 16:36 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 23:16 . 2009-10-26 16:37 -------- d-----w- c:\program files\Bonjour
2010-04-05 21:16 . 2010-02-13 09:58 -------- d-----w- c:\program files\McAfee
2010-04-05 20:48 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-05 20:22 . 2009-10-26 14:20 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-05 20:04 . 2009-12-03 21:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 19:33 . 2010-03-03 20:01 -------- d-----w- c:\program files\Opera
2010-04-05 19:18 . 2009-10-25 23:23 108352 ----a-w- c:\users\Zsolt\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-05 18:16 . 2009-10-26 14:20 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Thunderbird
2010-04-05 18:16 . 2010-02-13 10:08 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-05 18:16 . 2009-10-27 20:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-05 18:16 . 2009-11-17 21:24 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-04-05 18:15 . 2009-10-26 16:38 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-08 20:06 . 2009-12-02 20:44 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HpUpdate
2010-03-02 18:46 . 2010-03-02 18:46 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HPAppData
2010-03-01 21:35 . 2010-03-01 19:07 23112 ----a-w- c:\windows\hpqins15.dat
2010-02-24 09:16 . 2009-10-25 22:45 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 20:10 . 2010-02-17 20:10 -------- d-----w- c:\program files\Common Files\Java
2010-02-17 20:10 . 2010-02-17 20:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 20:10 . 2010-02-17 20:10 -------- d-----w- c:\program files\Java
2010-02-13 11:07 . 2009-10-26 15:11 -------- d-----w- c:\programdata\Microsoft Help
2010-02-13 11:02 . 2010-02-13 11:02 -------- d-----w- c:\program files\Microsoft.NET
2010-02-13 10:10 . 2010-02-13 09:58 -------- d-----w- c:\programdata\McAfee
2010-02-13 10:08 . 2010-02-13 10:08 -------- d-----w- c:\program files\McAfee.com
2010-02-13 09:59 . 2010-02-13 09:59 -------- d-----w- c:\users\Zsolt\AppData\Roaming\McAfee
2010-02-13 09:00 . 2010-02-13 09:00 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-12 18:52 . 2010-02-12 18:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 17:19 . 2009-12-18 09:10 52224 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 14:55 . 2010-02-17 19:29 12800 ----a-w- c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
2010-02-02 21:27 . 2010-01-19 20:31 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-02-02 21:10 . 2010-01-19 20:31 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-02-02 07:45 . 2010-02-23 18:48 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-28 19:22 . 2009-12-15 22:03 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-01-23 16:06 . 2009-12-15 22:02 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-18 23:29 . 2010-02-12 12:46 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-12 12:46 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-12 12:46 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-12 12:46 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-12 12:46 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-12 12:46 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-12 12:46 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-12 12:46 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-08 03:18 . 2010-02-12 12:46 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-12 12:46 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-05 2010864]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Google Update"="c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-06 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-29 1086856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Zsolt^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Zsolt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-14 18:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-20 12872]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-20 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-20 66632]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-04 172032]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2009-12-14 93320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001Core.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]
2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001UA.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]
2009-10-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]
2009-10-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Zsolt\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.bpbz.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccessc:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x856C8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x846b8910
QueryNameProcedure -> 0x846b8aa0
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(2344)
c:\progra~1\mcafee\sitead~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\conhost.exe
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-04-07 23:07:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 22:07
Pre-Run: 44,618,502,144 bytes free
Post-Run: 44,540,444,672 bytes free
- - End Of File - - 0032EE48846024A0BBB65B51E221C908
Thanks for your help,
cobo
Oh and one more strange thing. I downloaded the combofix.exe to the desktop and it was there even after the reboot, but it disappeared afterwards. Or maybe that's normal?
Hi cobo76
but it disappeared afterwards. Or maybe that's normal?
yes it is "normal"
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
Right click on gmer.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Click Next. It will start extracting.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it.
Select the Rootkit tab.
On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
Select all drives that are connected to your system to be scanned.
Click on the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into the text editor.
Save the Gmer scan log and post it in your next reply.
Close Gmer.
Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
In Command Prompt, type in net stop gmer. Press Enter.
Type in exit to close Command Prompt.
Note: Do not run any programs while Gmer is running.
Thanks peku006
Well, I tried to run it, but just couldn't get it to work.
Attempt 1-3: pc simply rebooted without a blue screen even before I could hit Start.
Attempt 4: The scan started then the pc rebooted after couple of seconds
Attempt 5: Same as attempt 4 but I noted that the scan hung on \Ntfs before rebooting
Attempt 6-7: Blue screen reboot
After the first attempt I tried to rename the file thinking that something blocking it, but as you can see, it didn't make any change.
I tried again in normal mode and in safe mode with no luck.
In safe mode windows at least it gave me a reason code:
Problem signature:
Problem Event Name: APPCRASH
Application Name: gmer.exe
Application Version: 1.0.15.15281
Application Timestamp: 4b2763f0
Fault Module Name: gmer.exe
Fault Module Version: 1.0.15.15281
Fault Module Timestamp: 4b2763f0
Exception Code: c0000005
Exception Offset: 0000c4b1
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
Hope it helps
Hi cobo76
Ok,let´s try this
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
*atapi*
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Hi peku006,
Here's the log:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:16 on 08/04/2010 by Zsolt (Administrator - Elevation successful)
========== filefind ==========
Searching for "*atapi*"
C:\Windows\ERDNT\cache\atapi.sys --a--- 21584 bytes [22:06 07/04/2010] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\en-US\WinSATAPI.dll.mui --a--- 6656 bytes [04:55 14/07/2009] [02:07 14/07/2009] 330A6E9A4A6FA657EBB094FCD82EFA9D
C:\Windows\System32\WinSATAPI.dll --a--- 335872 bytes [23:22 13/07/2009] [01:16 14/07/2009] 62D6C0C69ADFB00C3EB9A0CC81F39EE6
C:\Windows\winsxs\x86_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_6.1.7600.16385_none_e374b83d58edf937\WinSATAPI.dll --a--- 335872 bytes [23:22 13/07/2009] [01:16 14/07/2009] 62D6C0C69ADFB00C3EB9A0CC81F39EE6
C:\Windows\winsxs\x86_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_89009cca9c91feec\WinSATAPI.dll.mui --a--- 6656 bytes [04:55 14/07/2009] [02:07 14/07/2009] 330A6E9A4A6FA657EBB094FCD82EFA9D
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
-=End Of File=-
Thanks for your continuous help. I'll be away till Monday evening (12 Apr) and will log in as soon as I get home.
cobo76
Hi cobo76
Please download GooredFix by jpshortstuff from one of the links below and save it to your Desktop
Link 1 (http://jpshortstuff.247fixes.com/GooredFix.exe) | Link 2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, double-click GooredFix.exe.
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear.
Please post the contents of that log in your next reply (the log can also be found on your desktop, named GooredFix.txt).
Thanks peku006
Hello peku006,
I'm back, here's the requested log:
GooredFix by jpshortstuff (08.01.10.1)
Log created at 18:07 on 13/04/2010 (Zsolt)
Firefox version 3.6.3 (en-GB)
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:03 25/10/2009]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [20:10 17/02/2010]
C:\Users\Zsolt\Application Data\Mozilla\Firefox\Profiles\890496yn.default\extensions\
personas@christopher.beard [18:19 18/03/2010]
ramback@pavlov.net [13:02 26/10/2009]
silvermelxt@pardal.de [13:51 03/11/2009]
toolbar@alot.com [19:29 17/02/2010]
{069FB356-C69F-7349-D092-AB28AF882F01} [23:15 13/02/2010]
{20a82645-c095-46ed-80e3-08825760534b} [13:02 26/10/2009]
{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [16:34 13/04/2010]
{dc572301-7619-498c-a57d-39143191b318} [20:12 03/11/2009]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [10:09 13/02/2010]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [19:44 25/11/2009]
-=E.O.F=-
Hi cobo76
1 - Run Malwarebytes' Anti-Malware
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
2 - Status Check
Please reply with
description of any problems you are having with your PC
Thanks peku006
Hello Peku006,
The requested log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3987
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
14/04/2010 18:13:56
mbam-log-2010-04-14 (18-13-56).txt
Scan type: Full scan (C:\|D:\|G:\|)
Objects scanned: 240052
Time elapsed: 51 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\Documents\Received files\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
D:\Documents\Received files\Photoshop (Keygen and tutorial)\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
******************************************************
The computer works fine in general, but sometimes does strange things. Yesterday the Win7 Gadgets menu didn't start and couldn't get them work, but it works fine now. Google results still redirect time to time to unharmful pages like:
http://uk.ask.com/web?q=samsung%20le40c650%20revi&siteid=10000857&qsrc=999&l=dis
http://prodomainmoney.com/result.php?Keywords=samsung+le40c650+revi&r=1d37cbf54ef8574f0a13a1897f95a57057018ae79211076189dc8b1e83ec28b1fd96f77f4c365687064120b8825f99e5&Submit=Go
(in both cases I was googling a samsung tv.) The common feature is that it redirects somewhere for only a second (with an empty screen) then jumps to some unharmful page. I made a screenshot on that first redirection phase:
http://forums.spybot.info/attachment.php?attachmentid=4804&stc=1&d=1271267559
Thanks for your help,
cobo76
Hi cobo76
Download CKScanner by askey127 from HERE (http://downloads.malwareremoval.com/CKScanner.exe)
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
Thanks peku006
Hi there,
Log:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----
Thanks,
cobo
Hi cobo
why you had these ?
D:\Documents\Received files\Keygen.exe
D:\Documents\Received files\Photoshop (Keygen and tutorial)\Keygen.exe
Thanks peku006
Hello peku006,
I must have received them but they're all
deleted now, I doublechecked. They're not needed. Why?
cobo76
Hi cobo
We do not support the use of illegal Pirated/Warez/Cracked software
1 - Clean temp files
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
2 - Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Eset online scannner report
2. a fresh HijackThis log
Thanks peku006
Hi peku006,
Eset report:
D:\Documents\Old net downloads\sdax2101.exe Win32/Adware.WhenU.SaveNow application
D:\Documents\Received files\DigitalSmart-Audio-Recorder-for-FREE-Installer.EXE Win32/Adware.WhenU.SaveNow application
D:\Documents\Received files\Program Suite 2010\xf-colorefex3.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\Dfine2-rev2.102EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\SharpenerPro3-rev3.001EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\SilverEfexPro-rev1.003EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\iveza-rev1.002EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Name\Levelek\mail.btinternet.com\Inbox a variant of Win32/HackTool.Patcher.A application
D:\Name\Levelek\mail.btinternet.com\Sent a variant of Win32/HackTool.Patcher.A application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 148.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 23.zip a variant of Win32/HackTool.Patcher.A application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 25.zip a variant of Win32/HackTool.Patcher.A application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 5.zip Win32/Adware.WhenU.SaveNow application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 6.zip Win32/Adware.WhenU.SaveNow application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-12-06 190002\Backup files 4.zip a variant of Win32/HackTool.Patcher.A application
****************************************************
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:56:09, on 16/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
D:\Peter\Trojaiellenes\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [BrowserChoice] browserchoice.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
--
End of file - 6101 bytes
Thanks,
cobo
Hi cobo
can not find any "suspicious", let´s try this
Close Firefox.
On your keyboard hit the Windows key and R simultaneously.
In the Run box type in this command and hit enter.
"%PROGRAMFILES%\Mozilla Firefox\firefox.exe" -safe-mode
Don't make any changes.
Click on Continue in Safe Mode
Firefox should start up. It may look unusual but it will work.
Let me know if your issue happens with Firefox in this mode.
Thanks peku006
Hi peku006,
Thanks for the quick reply. Unfortunately it does occur even in safe mode. See picture attached when I tried to do a google search right after started up FF in safe mode.
http://forums.spybot.info/attachment.php?attachmentid=4814&stc=1&d=1271500957
I also tried to search on Bing site and the redirection happens from there, too.
Thanks,
cobo
Hi cobo
It appears that you have a tdl3 rootkit and the tools that we normally use is not working windows 7.
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
*iastor*
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Hello peku
Thanks for that, here's the log:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:25 on 17/04/2010 by Zsolt (Administrator - Elevation successful)
========== filefind ==========
Searching for "*iastor*"
C:\Windows\inf\iastorv.inf --a--- 14004 bytes [04:51 14/07/2009] [04:51 14/07/2009] EAEE055AC902E8A9C45377A6F4E199B5
C:\Windows\inf\iastorv.PNF --a--- 17612 bytes [04:38 14/07/2009] [04:38 14/07/2009] 0B02E76F6BAD88802970F09EDADCEB62
C:\Windows\System32\DriverStore\en-US\iastorv.inf_loc --a--- 2036 bytes [04:54 14/07/2009] [02:04 14/07/2009] F55899C679D9851CCEAF0A4E1983A520
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iastorv.inf --a--- 14004 bytes [20:49 13/07/2009] [20:49 13/07/2009] EAEE055AC902E8A9C45377A6F4E199B5
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iastorv.PNF --a--- 16884 bytes [04:51 14/07/2009] [04:51 14/07/2009] 99FFD122C1B5693457E7F2C45E94D8C4
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys --a--- 332352 bytes [21:19 10/06/2009] [01:20 14/07/2009] 934AF4D7C5F457B9F0743F4299B77B67
C:\Windows\System32\drivers\iaStorV.sys --a--- 332352 bytes [21:19 10/06/2009] [01:20 14/07/2009] 934AF4D7C5F457B9F0743F4299B77B67
C:\Windows\winsxs\Manifests\x86_iastorv.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_6a53a1b100db3f49.manifest --a--- 1113 bytes [04:55 14/07/2009] [04:55 14/07/2009] 5D132FB028836EA4C6342D5757DF16D5
C:\Windows\winsxs\Manifests\x86_iastorv.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e8ca5196e3515d38.manifest --a--- 1781 bytes [04:54 14/07/2009] [02:28 14/07/2009] 9B395173BA10EA76B5B01676B8E7B341
C:\Windows\winsxs\Manifests\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000.manifest --a--- 2087 bytes [04:48 14/07/2009] [04:48 14/07/2009] BF4E86A933AC44DB292DE55993CD46EA
C:\Windows\winsxs\x86_iastorv.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e8ca5196e3515d38\iastorv.inf_loc --a--- 2036 bytes [04:54 14/07/2009] [02:04 14/07/2009] F55899C679D9851CCEAF0A4E1983A520
C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iastorv.inf --a--- 14004 bytes [20:49 13/07/2009] [20:49 13/07/2009] EAEE055AC902E8A9C45377A6F4E199B5
C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys --a--- 332352 bytes [21:19 10/06/2009] [01:20 14/07/2009] 934AF4D7C5F457B9F0743F4299B77B67
-=End Of File=-
cobo
Hi cobo
Go to this page (http://support.kaspersky.com/viruses/solutions?qid=208280684) and Download TDSSKiller.zip to your Desktop.
Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
Thanks peku006
Hi peku,
The report:
11:36:37:923 3536 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
11:36:37:923 3536 ================================================================================
11:36:37:923 3536 SystemInfo:
11:36:37:923 3536 OS Version: 6.1.7600 ServicePack: 0.0
11:36:37:923 3536 Product type: Workstation
11:36:37:923 3536 ComputerName: PC
11:36:37:923 3536 UserName: Zsolt
11:36:37:923 3536 Windows directory: C:\Windows
11:36:37:923 3536 Processor architecture: Intel x86
11:36:37:923 3536 Number of processors: 2
11:36:37:923 3536 Page size: 0x1000
11:36:37:923 3536 Boot type: Normal boot
11:36:37:923 3536 ================================================================================
11:36:37:923 3536 UnloadDriverW: NtUnloadDriver error 2
11:36:37:923 3536 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:36:38:126 3536 wfopen_ex: Trying to open file C:\Windows\system32\config\system
11:36:38:126 3536 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:36:38:126 3536 wfopen_ex: Trying to KLMD file open
11:36:38:126 3536 wfopen_ex: File opened ok (Flags 2)
11:36:38:142 3536 wfopen_ex: Trying to open file C:\Windows\system32\config\software
11:36:38:142 3536 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:36:38:142 3536 wfopen_ex: Trying to KLMD file open
11:36:38:142 3536 wfopen_ex: File opened ok (Flags 2)
11:36:38:157 3536 Initialize success
11:36:38:157 3536
11:36:38:157 3536 Scanning Services ...
11:36:39:048 3536 Raw services enum returned 464 services
11:36:39:079 3536
11:36:39:079 3536 Scanning Kernel memory ...
11:36:39:079 3536 Devices to scan: 2
11:36:39:079 3536
11:36:39:079 3536 Driver Name: USBSTOR
11:36:39:079 3536 IRP_MJ_CREATE : 8F5E2A02
11:36:39:079 3536 IRP_MJ_CREATE_NAMED_PIPE : 82AE9447
11:36:39:079 3536 IRP_MJ_CLOSE : 8F5E2A7A
11:36:39:079 3536 IRP_MJ_READ : 8F5E2AF2
11:36:39:079 3536 IRP_MJ_WRITE : 8F5E2AF2
11:36:39:079 3536 IRP_MJ_QUERY_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_EA : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_EA : 82AE9447
11:36:39:079 3536 IRP_MJ_FLUSH_BUFFERS : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_VOLUME_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_VOLUME_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_DIRECTORY_CONTROL : 82AE9447
11:36:39:079 3536 IRP_MJ_FILE_SYSTEM_CONTROL : 82AE9447
11:36:39:079 3536 IRP_MJ_DEVICE_CONTROL : 8F5E25FE
11:36:39:079 3536 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F5D5656
11:36:39:079 3536 IRP_MJ_SHUTDOWN : 82AE9447
11:36:39:079 3536 IRP_MJ_LOCK_CONTROL : 82AE9447
11:36:39:079 3536 IRP_MJ_CLEANUP : 82AE9447
11:36:39:079 3536 IRP_MJ_CREATE_MAILSLOT : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_SECURITY : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_SECURITY : 82AE9447
11:36:39:079 3536 IRP_MJ_POWER : 8F5E09BA
11:36:39:079 3536 IRP_MJ_SYSTEM_CONTROL : 8F5DD88E
11:36:39:079 3536 IRP_MJ_DEVICE_CHANGE : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_QUOTA : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_QUOTA : 82AE9447
11:36:39:095 3536 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
11:36:39:095 3536
11:36:39:095 3536 Driver Name: atapi
11:36:39:095 3536 IRP_MJ_CREATE : 856DFAC8
11:36:39:095 3536 IRP_MJ_CREATE_NAMED_PIPE : 856DFAC8
11:36:39:095 3536 IRP_MJ_CLOSE : 856DFAC8
11:36:39:095 3536 IRP_MJ_READ : 856DFAC8
11:36:39:095 3536 IRP_MJ_WRITE : 856DFAC8
11:36:39:095 3536 IRP_MJ_QUERY_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_SET_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_QUERY_EA : 856DFAC8
11:36:39:095 3536 IRP_MJ_SET_EA : 856DFAC8
11:36:39:095 3536 IRP_MJ_FLUSH_BUFFERS : 856DFAC8
11:36:39:095 3536 IRP_MJ_QUERY_VOLUME_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_SET_VOLUME_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_DIRECTORY_CONTROL : 856DFAC8
11:36:39:095 3536 IRP_MJ_FILE_SYSTEM_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_DEVICE_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_INTERNAL_DEVICE_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_SHUTDOWN : 856DFAC8
11:36:39:110 3536 IRP_MJ_LOCK_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_CLEANUP : 856DFAC8
11:36:39:110 3536 IRP_MJ_CREATE_MAILSLOT : 856DFAC8
11:36:39:110 3536 IRP_MJ_QUERY_SECURITY : 856DFAC8
11:36:39:110 3536 IRP_MJ_SET_SECURITY : 856DFAC8
11:36:39:110 3536 IRP_MJ_POWER : 856DFAC8
11:36:39:110 3536 IRP_MJ_SYSTEM_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_DEVICE_CHANGE : 856DFAC8
11:36:39:110 3536 IRP_MJ_QUERY_QUOTA : 856DFAC8
11:36:39:110 3536 IRP_MJ_SET_QUOTA : 856DFAC8
11:36:39:110 3536 Driver "atapi" infected by TDSS rootkit!
11:36:39:110 3536 C:\Windows\system32\DRIVERS\atapi.sys - Verdict: 1
11:36:39:110 3536 File "C:\Windows\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 11:36:39:110 3536 Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
11:36:39:470 3536 vfvi6
11:36:39:532 3536 dsvbh1
11:36:40:157 3536 fdfb1
11:36:40:157 3536 Backup copy found, using it..
11:36:40:157 3536 will be cured on next reboot
11:36:40:157 3536 Reboot required for cure complete..
11:36:40:313 3536 Cure on reboot scheduled successfully
11:36:40:313 3536
11:36:40:313 3536 Completed
11:36:40:313 3536
11:36:40:313 3536 Results:
11:36:40:313 3536 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
11:36:40:313 3536 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:36:40:313 3536 File objects infected / cured / cured on reboot: 1 / 0 / 1
11:36:40:313 3536
11:36:40:313 3536 fclose_ex: Trying to close file C:\Windows\system32\config\system
11:36:40:313 3536 fclose_ex: Trying to close file C:\Windows\system32\config\software
11:36:40:313 3536 UnloadDriverW: NtUnloadDriver error 1
11:36:40:329 3536 MyDeleteFileW: MyNtCreateFile (C:\Windows\system32\drivers\klmd.sys) error 32
11:36:40:329 3536 KLMD(ARK) unloaded successfully
*************************************************
I don't know whether this supposed to fix it (based on the report) but unfortunately the redirections still exist. Do you think I have to reinstall Win7 to get rid of this tdl3?
Thanks,
cobo
Hi cobo
Do you think I have to reinstall Win7 to get rid of this tdl3?
perhaps it is the best option ,but we can try this tool before you reinstall Win7
Download RootRepeal from the following location and save it to your desktop.
Link 1 (http://rootrepeal.googlepages.com/RootRepeal.zip)
Link 2 (http://ad13.geekstogo.com/RootRepeal.zip)
Link 3 (http://rootrepeal.psikotick.com/RootRepeal.zip)
Unzip it to your Desktop
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT
Click the OK button
Check the box for your main system drive (Usually C:), and Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
Thanks peku006
Hello peku,
I tried to run RootRepeal but ran into this every time. Should I try in safe mode?
http://forums.spybot.info/attachment.php?attachmentid=4816&stc=1&d=1271617405
Thanks,
cobo
Hello peku,
I tried in safe mode with the same result unfortunately.
Any other ideas perhaps?
Thanks again,
cobo
Hi cobo
Uninstall ComboFix
Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK
Download the latest version of ComboFix and run it
Thanks peku006
Hi peku,
I saw your earlier message, which got deleted now (that your 'tools' are not working under Win7). Funnily, somehow I had exactly the same idea that you just recommended. So, as I couldn't find where I saved the earlier version of Combofix, I downloaded it again and ran it. :)
This is the report:
ComboFix 10-04-19.05 - Zsolt 20/04/2010 15:35:01.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2048.1319 [GMT 1:00]
Running from: d:\peter\Trojaiellenes\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Zsolt\AppData\Roaming\sdra64.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
----- BITS: Possible infected sites -----
hxxp://www.bing.com
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.
2010-04-20 14:40 . 2010-04-20 14:40 -------- d-----w- c:\users\Zsolt\AppData\Local\temp
2010-04-20 14:40 . 2010-04-20 14:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-20 14:29 . 2010-04-20 14:30 -------- d-----w- C:\32788R22FWJFW
2010-04-20 08:53 . 2010-04-20 14:14 -------- d-sh--w- c:\users\Zsolt\AppData\Roaming\lowsec
2010-04-19 16:38 . 2010-04-19 16:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-19 16:37 . 2010-04-19 16:37 -------- d-----w- c:\programdata\Hitman Pro
2010-04-19 16:37 . 2010-04-19 16:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-18 10:36 . 2010-04-18 10:36 36488 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-04-16 07:53 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 17:20 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 17:20 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 17:20 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 17:20 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 17:20 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 17:20 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 15:53 . 2010-04-14 15:53 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple
2010-04-14 14:01 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 14:01 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 21:02 . 2010-04-17 10:47 -------- d-----w- c:\users\Zsolt\AppData\Local\Adobe
2010-04-13 16:48 . 2010-04-13 16:48 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple Computer
2010-04-07 09:38 . 2009-10-31 06:00 2614272 ------w- c:\windows\explorer.exe
2010-04-06 23:23 . 2010-04-06 23:23 -------- d-----w- c:\program files\iPod
2010-04-06 23:19 . 2010-04-06 23:20 -------- d-----w- c:\program files\QuickTime
2010-04-06 23:17 . 2010-04-06 23:17 -------- d-----w- c:\program files\Apple Software Update
2010-04-05 22:19 . 2010-04-05 22:19 -------- d-----w- C:\rsit
2010-04-05 21:10 . 2010-04-05 21:10 -------- d-----w- c:\program files\CCleaner
2010-04-05 20:06 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-04-05 19:55 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 19:55 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 14:03 . 2010-04-05 14:03 -------- d-----w- c:\program files\ESET
2010-04-04 20:03 . 2010-04-04 20:03 -------- d-----w- c:\program files\Trend Micro
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Malwarebytes
2010-04-04 17:32 . 2010-04-05 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\programdata\Malwarebytes
2010-04-03 20:52 . 2010-04-05 18:16 -------- d-----w- c:\program files\Unlocker
2010-04-03 18:41 . 2010-04-03 18:41 -------- d-----w- c:\windows\Sun
2010-04-02 20:22 . 2010-04-05 18:16 -------- d-----w- c:\program files\7-Zip
2010-04-02 20:14 . 2010-04-05 18:16 -------- d-----w- c:\users\Zsolt\AppData\Roaming\BitTorrent
2010-04-01 19:50 . 2010-04-05 18:16 -------- d-----w- c:\program files\Adobe Media Player
2010-04-01 19:50 . 2010-04-01 19:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-01 19:46 . 2010-04-01 19:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-01 17:56 . 2010-04-01 17:57 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-26 00:48 . 2010-03-26 00:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 08:54 . 2009-12-03 21:16 117760 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-19 17:36 . 2009-10-25 23:23 108744 ----a-w- c:\users\Zsolt\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-19 16:31 . 2009-10-27 20:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-18 10:37 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-06 23:23 . 2010-02-12 16:43 -------- d-----w- c:\program files\iTunes
2010-04-06 23:23 . 2009-10-26 16:36 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 23:16 . 2009-10-26 16:37 -------- d-----w- c:\program files\Bonjour
2010-04-05 21:16 . 2010-02-13 09:58 -------- d-----w- c:\program files\McAfee
2010-04-05 20:48 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-05 20:22 . 2009-10-26 14:20 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-05 20:04 . 2009-12-03 21:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 19:33 . 2010-03-03 20:01 -------- d-----w- c:\program files\Opera
2010-04-05 18:16 . 2009-10-26 14:20 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Thunderbird
2010-04-05 18:16 . 2010-02-13 10:08 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-05 18:15 . 2009-10-26 16:38 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-08 20:06 . 2009-12-02 20:44 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HpUpdate
2010-03-02 18:46 . 2010-03-02 18:46 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HPAppData
2010-03-01 21:35 . 2010-03-01 19:07 23112 ----a-w- c:\windows\hpqins15.dat
2010-02-24 09:16 . 2009-10-25 22:45 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 20:10 . 2010-02-17 20:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-12 17:19 . 2009-12-18 09:10 52224 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 14:55 . 2010-02-17 19:29 12800 ----a-w- c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
2010-02-02 21:27 . 2010-01-19 20:31 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-02-02 21:10 . 2010-01-19 20:31 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-02-02 07:45 . 2010-02-23 18:48 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-28 19:22 . 2009-12-15 22:03 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-01-23 16:06 . 2009-12-15 22:02 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-04-07_22.04.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-14 17:20 . 2010-02-27 07:33 95744 c:\windows\winsxs\x86_microsoft-windows-smb20-minirdr_31bf3856ad364e35_6.1.7600.20655_none_8b5b5c1a041ebcac\mrxsmb20.sys
+ 2010-04-14 17:20 . 2010-02-27 07:32 95744 c:\windows\winsxs\x86_microsoft-windows-smb20-minirdr_31bf3856ad364e35_6.1.7600.16539_none_8aeb604eeaed4a5c\mrxsmb20.sys
+ 2009-10-27 08:59 . 2010-04-20 14:35 42122 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-04-20 14:35 38638 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-25 22:38 . 2010-04-20 13:38 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-12 14:43 . 2010-04-16 15:35 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-04-18 18:53 . 2010-04-18 18:53 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010041820100419\index.dat
+ 2010-04-15 18:15 . 2010-04-15 18:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010041520100416\index.dat
+ 2010-04-15 18:15 . 2010-04-15 18:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010040520100412\index.dat
+ 2009-07-14 04:41 . 2010-04-20 13:38 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-07 09:40 . 2010-04-07 09:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-04-07 09:40 . 2010-04-18 16:32 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:34 . 2010-04-18 13:13 78976 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-04-19 21:22 . 2010-04-19 17:36 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-19 21:22 . 2010-04-19 17:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-04-19 21:22 . 2010-04-19 17:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-30 14:16 . 2010-04-20 14:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-30 14:16 . 2010-04-07 22:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-30 14:16 . 2010-04-20 14:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-10-30 14:16 . 2010-04-07 22:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-10-30 14:16 . 2010-04-20 14:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-10-30 14:16 . 2010-04-07 22:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-21 20:09 . 2009-12-21 20:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 01:57 . 2009-12-22 01:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 20:02 . 2009-12-21 20:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 23:21 . 2009-12-21 23:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-21 23:37 . 2009-12-21 23:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 18:39 . 2009-12-21 18:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 18:27 . 2009-12-21 18:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 18:27 . 2009-12-21 18:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2009-10-25 22:49 . 2010-04-20 14:35 8422 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-261453740-1934816615-1763482817-1001_UserData.bin
+ 2010-04-20 14:34 . 2010-04-20 14:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-07 21:40 . 2010-04-07 22:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-07 21:40 . 2010-04-07 22:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-20 14:34 . 2010-04-20 14:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-14 14:01 . 2009-12-29 07:11 172032 c:\windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7600.20605_none_f064afe014413504\wintrust.dll
+ 2010-04-14 14:01 . 2009-12-29 06:55 172032 c:\windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7600.16493_none_ef77c14efb6e60de\wintrust.dll
+ 2010-04-14 17:20 . 2010-02-27 07:33 123392 c:\windows\winsxs\x86_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7600.20655_none_8011d3b3cb764ad9\mrxsmb.sys
+ 2010-04-14 17:20 . 2010-02-27 07:32 123392 c:\windows\winsxs\x86_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7600.16539_none_7fa1d7e8b244d889\mrxsmb.sys
+ 2010-04-14 17:20 . 2010-02-27 07:33 221696 c:\windows\winsxs\x86_microsoft-windows-smb10-minirdr_31bf3856ad364e35_6.1.7600.20655_none_8924f207c5c7893b\mrxsmb10.sys
+ 2010-04-14 17:20 . 2010-02-27 07:32 221696 c:\windows\winsxs\x86_microsoft-windows-smb10-minirdr_31bf3856ad364e35_6.1.7600.16539_none_88b4f63cac9616eb\mrxsmb10.sys
+ 2010-04-14 17:20 . 2010-03-08 21:39 427520 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.20662_none_48cc9903a84aaeeb\vbscript.dll
+ 2010-04-14 17:20 . 2010-03-08 21:33 427520 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.16546_none_485c9d388f193c9b\vbscript.dll
+ 2010-04-14 14:01 . 2010-01-09 06:49 132608 c:\windows\winsxs\x86_microsoft-windows-cabview_31bf3856ad364e35_6.1.7600.20613_none_38abfbd35bb8e7a9\cabview.dll
+ 2010-04-14 14:01 . 2010-01-09 06:52 132608 c:\windows\winsxs\x86_microsoft-windows-cabview_31bf3856ad364e35_6.1.7600.16500_none_382a2e164295dfe9\cabview.dll
+ 2010-04-16 07:53 . 2010-02-11 06:53 293376 c:\windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.20641_none_62973696e76475c9\browserchoice.exe
+ 2010-04-16 07:53 . 2010-02-11 07:10 293376 c:\windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.16526_none_62283b15ce321cd0\browserchoice.exe
+ 2009-10-26 20:54 . 2010-04-20 13:14 280588 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:05 . 2010-04-20 14:39 619206 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-04-07 21:45 619206 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-04-07 21:45 107388 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2010-04-20 14:39 107388 c:\windows\System32\perfc009.dat
+ 2009-07-14 04:33 . 2010-04-19 17:36 408848 c:\windows\System32\FNTCACHE.DAT
- 2009-07-14 04:33 . 2010-02-13 11:29 408848 c:\windows\System32\FNTCACHE.DAT
+ 2009-10-25 22:40 . 2010-04-20 14:04 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-10-25 22:40 . 2010-04-07 21:40 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-10-25 22:38 . 2010-04-20 13:20 950272 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-21 18:35 . 2009-12-21 18:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 18:34 . 2009-12-21 18:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 19:18 . 2009-11-09 19:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 20:02 . 2009-12-21 20:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-21 18:43 . 2009-12-21 18:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 01:57 . 2009-12-22 01:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 18:15 . 2009-12-21 18:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 19:32 . 2009-12-21 19:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-21 19:15 . 2009-12-21 19:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2010-04-14 17:20 . 2010-02-27 11:46 3899784 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_6cb0c81f2e7bee1e\ntoskrnl.exe
+ 2010-04-14 17:20 . 2010-02-27 11:46 3954568 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_6cb0c81f2e7bee1e\ntkrnlpa.exe
+ 2010-04-14 17:20 . 2010-02-27 12:07 3899280 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_6c40cc54154a7bce\ntoskrnl.exe
+ 2010-04-14 17:20 . 2010-02-27 12:07 3954568 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_6c40cc54154a7bce\ntkrnlpa.exe
+ 2009-07-14 02:03 . 2010-04-20 13:24 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2010-04-07 09:42 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 04:34 . 2010-04-06 10:01 3837380 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:34 . 2010-04-16 15:21 3837380 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-12-21 18:29 . 2009-12-21 18:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 23:31 . 2009-12-21 23:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2009-07-14 07:18 . 2010-04-16 07:53 17537597 c:\windows\winsxs\ManifestCache\e4e8be02b8fae2a7_blobs.bin
+ 2009-10-25 22:45 . 2010-04-06 17:52 31971272 c:\windows\System32\MRT.exe
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\2a1fb.msp
+ 2009-12-21 23:21 . 2009-12-21 23:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-05 2010864]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Google Update"="c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-06 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-29 1086856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Zsolt^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Zsolt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-14 18:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-20 12872]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-20 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-20 66632]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-04 172032]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2009-12-14 93320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001Core.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]
2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001UA.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]
2009-10-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]
2009-10-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Zsolt\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.bpbz.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccessc:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-20 15:41:55
ComboFix-quarantined-files.txt 2010-04-20 14:41
ComboFix2.txt 2010-04-07 22:08
Pre-Run: 44,340,236,288 bytes free
Post-Run: 44,159,954,944 bytes free
- - End Of File - - 709352EC987EF777A69C42D772F61958
***************************************************
I also ran Malwarebyte's quick scan afterwards and found 4 backdoor.bots in registry keys. (Unfortunately, I didn't save the log) and strangely SuperAntispyware found 122 adware tracking cookies. (I was desperate, thinking I try everything again before I would do a full reinstall.)
Thank god, there's no redirection occuring at this moment in Firefox or Opera. Fingers crossed, it stays this way.
In any case big THANKs for all your help, I report back tomorrow, hopefully with good news.
cobo
Hi peku,
Hopefully this is my final post, just to thank you again for all your help.
The pc works fine with no hijackings.
Thanks again,
cobo
Hi cobo
great to hear that everything works,but we will run one online scan to be sure that there is nothing left
1 - Clean temp files
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
2 - Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Eset online scannner report
2. a fresh HijackThis log
Thanks peku006
Hello peku,
The eset log:
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir Win32/Olmarik.XG trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\d7d440d-4eb259bc Java/TrojanDownloader.Agent.NAM trojan
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys Win32/Olmarik.XG trojan
D:\Documents\Old net downloads\sdax2101.exe Win32/Adware.WhenU.SaveNow application
D:\Documents\Received files\DigitalSmart-Audio-Recorder-for-FREE-Installer.EXE Win32/Adware.WhenU.SaveNow application
D:\Peter\Levelek\mail.btinternet.com\Inbox a variant of Win32/HackTool.Patcher.A application
D:\Peter\Levelek\mail.btinternet.com\Sent a variant of Win32/HackTool.Patcher.A application
********************************************************
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:35:53, on 23/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
C:\Windows\system32\taskhost.exe
D:\Peter\Trojaiellenes\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
--
End of file - 5953 bytes
*********************************************
The pc works fine, the only strange thing I would is that sometimes the 'hide extensions for known filetypes' gets switched on so I cannot see the extensions. I don't know what might trigger that.
Thanks,
cobo
Hi cobo
I'd like you to check a file for Viruses.
Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
Copy/Paste file into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Copy and Paste results in your next reply.
Thanks peku006
Sorry for the late response, just got back.
The result doesn't look good, however I had no problem w/ the pc nor had any google redirections recently.
Virustotal:
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.26 Rootkit.Patched.TDSS!IK
AhnLab-V3 5.0.0.2 2010.04.26 -
AntiVir 8.2.1.224 2010.04.26 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2010.04.26 -
Authentium 5.2.0.5 2010.04.26 -
Avast 4.8.1351.0 2010.04.26 Win32:Alureon-FZ
Avast5 5.0.332.0 2010.04.26 Win32:Alureon-FZ
AVG 9.0.0.787 2010.04.26 Win32/Patched.DO
BitDefender 7.2 2010.04.26 Rootkit.Patched.TDSS.Gen
CAT-QuickHeal 10.00 2010.04.26 -
ClamAV 0.96.0.3-git 2010.04.26 -
Comodo 4684 2010.04.26 TrojWare.Win32.Rootkit.TDL3.gen
DrWeb 5.0.2.03300 2010.04.26 BackDoor.Tdss.2459
eSafe 7.0.17.0 2010.04.26 -
eTrust-Vet 35.2.7452 2010.04.26 Win32/Alureon.A!generic
F-Prot 4.5.1.85 2010.04.26 -
F-Secure 9.0.15370.0 2010.04.26 Rootkit.Patched.TDSS.Gen
Fortinet 4.0.14.0 2010.04.26 -
GData 21 2010.04.26 Rootkit.Patched.TDSS.Gen
Ikarus T3.1.1.80.0 2010.04.26 Rootkit.Patched.TDSS
Jiangmin 13.0.900 2010.04.26 Rootkit.TDSS.dgu
Kaspersky 7.0.0.125 2010.04.26 Rootkit.Win32.TDSS.ap
McAfee 5.400.0.1158 2010.04.26 -
McAfee-GW-Edition 6.8.5 2010.04.26 Trojan.Patched.Gen
Microsoft 1.5703 2010.04.26 Virus:Win32/Alureon.H
NOD32 5063 2010.04.26 Win32/Olmarik.XG
Norman 6.04.11 2010.04.26 W32/tdss.drv.gen8
nProtect 2010-04-26.01 2010.04.26 -
Panda 10.0.2.7 2010.04.26 -
PCTools 7.0.3.5 2010.04.26 -
Prevx 3.0 2010.04.26 -
Rising 22.45.00.04 2010.04.26 RootKit.Win32.TDSS.c
Sophos 4.53.0 2010.04.26 Mal/TDSSRt-A
Sunbelt 6224 2010.04.26 LooksLike.Win32.PatchedDriver!A (v)
Symantec 20091.2.0.41 2010.04.26 Backdoor.Tidserv.I!inf
TheHacker 6.5.2.0.269 2010.04.26 -
TrendMicro 9.120.0.1004 2010.04.26 Mal_TIDIES-12
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 Mal_TIDIES-12
VBA32 3.12.12.4 2010.04.26 Rootkit.Win32.TDSL.b
ViRobot 2010.4.26.2294 2010.04.26 -
VirusBuster 5.0.27.0 2010.04.26 Rootkit.TDSS.Gen.3
Additional information
File size: 187904 bytes
MD5...: 0d9e7588f1089734832aceffbfaaf884
SHA1..: 0f570d22545e4d9de5eaf618026f31bf3800f0e4
SHA256: 9232b0022e12646ce57457794a08aaae65a22bb2e712eb106ff952abbdd81d4d
ssdeep: 3072:d7elIe/0mrp1wWvLOMWoyCeJ4//E+7mslheiHsI/U+owztYcegkZq9lz7VO<br>fy+1p:K9cappLOMWoydJ4nE+a6hgiU+dOgaq9O<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x2e014<br>timedatestamp.....: 0x4a5bbf52 (Mon Jul 13 23:12:18 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x1e656 0x1e800 6.49 ba5084120dd07f16c1ba33eb035625ce<br>.rdata 0x20000 0x854 0xa00 4.56 26497c5bfb7fa93991620b7464f15ef4<br>.data 0x21000 0xfb0 0x400 2.16 94e6609e081ef253f983d213d297e2d8<br>PAGE 0x22000 0x8fcb 0x9000 6.42 b887dc652c56e0d83a39faee8e8f9012<br>PAGENBT 0x2b000 0x7a1 0x800 6.33 b850b7c5ce70ad8043ee3fb426e041f7<br>INIT 0x2c000 0x1c6c 0x1e00 6.00 e96d0319094a90d19b48b3084ee49842<br>.rsrc 0x2e000 0x5c8 0x600 6.19 1b280edfc6646b683dfcc8745510b414<br>.reloc 0x2f000 0x2618 0x2800 6.70 062b35fc021a4250b95a1e20e06d11cd<br><br>( 5 imports ) <br>> ntoskrnl.exe: RtlFreeOemString, RtlUpcaseUnicodeStringToOemString, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, RtlOemStringToUnicodeString, RtlInitString, MmMapLockedPagesSpecifyCache, RtlAppendStringToString, RtlInitAnsiString, strchr, ExDeleteNPagedLookasideList, InterlockedPopEntrySList, InterlockedPushEntrySList, ExInitializeNPagedLookasideList, KeCancelTimer, ZwClose, ZwCancelTimer, ZwSetTimer, ZwCreateTimer, _aulldiv, _allmul, IofCallDriver, IoBuildDeviceIoControlRequest, ObfReferenceObject, IoGetDeviceObjectPointer, RtlInitUnicodeString, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, KeSetTimer, KeInitializeDpc, KeInitializeTimer, IoWMIWriteEvent, MmGetSystemRoutineAddress, IoWMIRegistrationControl, IoDeleteDevice, KeDelayExecutionThread, KeClearEvent, ExDeleteResourceLite, IoGetRelatedDeviceObject, RtlCopyUnicodeString, memchr, ZwReadFile, ZwQueryInformationFile, KeEnterCriticalRegion, ZwCreateFile, ObReferenceObjectByHandle, IofCompleteRequest, ZwDeviceIoControlFile, ZwCreateEvent, ZwCreateKey, ExfInterlockedPushEntryList, ExQueueWorkItem, IoFreeWorkItem, IoCancelIrp, IoFileObjectType, IoRemoveShareAccess, SeAssignSecurity, IoSetShareAccess, IoCheckShareAccess, SeAccessCheck, MmUserProbeAddress, IoQueueWorkItem, IoAllocateWorkItem, KeInsertQueueDpc, RtlCompareUnicodeString, _vsnprintf, RtlExtendedMagicDivide, ZwWaitForSingleObject, MmBuildMdlForNonPagedPool, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlGUIDFromString, RtlIpv4AddressToStringW, RtlAppendUnicodeToString, ZwOpenKey, ZwQueryValueKey, memmove, IoBuildPartialMdl, MmUnmapLockedPages, MmLockPagableDataSection, KeTickCount, KeBugCheckEx, RtlUnwind, ExAcquireResourceExclusiveLite, ExReleaseResourceLite, KeLeaveCriticalRegion, strncmp, memset, memcpy, IoFreeIrp, IoAllocateIrp, RtlIpv4StringToAddressA, SeDeassignSecurity, _alldiv, RtlGetCallersAddress, RtlExtendedLargeIntegerDivide, KeInitializeSemaphore, IoAllocateMdl, ExfInterlockedInsertHeadList, PsGetCurrentProcess, KeAttachProcess, KeDetachProcess, ExfInterlockedInsertTailList, ObfDereferenceObject, IoFreeMdl, KeWaitForSingleObject, KeResetEvent, KeSetEvent, _stricmp, KeGetCurrentThread, ExSystemTimeToLocalTime, KeInitializeEvent, strrchr, ExInitializeResourceLite, RtlGetVersion, RtlCompareMemory, KeQuerySystemTime, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, IoAcquireCancelSpinLock, NtWaitForSingleObject, IoReleaseCancelSpinLock, ExAllocatePoolWithTag, RtlFreeUnicodeString, ExFreePoolWithTag, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ZwSetValueKey<br>> HAL.dll: KfAcquireSpinLock, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, KfReleaseSpinLock<br>> TDI.SYS: TdiEnumerateAddresses, TdiPnPPowerComplete, TdiDeregisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiRegisterNetAddress, TdiProviderReady, TdiInitialize, TdiRegisterProvider, TdiRegisterPnPHandlers, TdiMapUserRequest, TdiDeregisterPnPHandlers, TdiDeregisterProvider, TdiDefaultRcvExpeditedHandler, TdiDefaultConnectHandler, TdiDefaultDisconnectHandler, TdiDefaultErrorHandler, TdiDefaultReceiveHandler, TdiDefaultSendPossibleHandler, TdiCopyMdlToBuffer, TdiCopyBufferToMdl, TdiDefaultRcvDatagramHandler, TdiBuildNetbiosAddress, TdiPnPPowerRequest<br>> NETIO.SYS: NsiRegisterChangeNotification, NsiGetParameter, NsiAllocateAndGetTable, NsiFreeTable, NsiSetAllParameters, NsiGetAllParameters, NsiDeregisterChangeNotification<br>> NDIS.SYS: NdisGetThreadObjectCompartmentId, NdisSetThreadObjectCompartmentId<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
Thanks,
cobo
Hi cobo
Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.
Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.
:Files
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Thanks peku006
Hi peku,
It didn't ask for reboot, here's the log:
========== FILES ==========
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys moved successfully.
OTM by OldTimer - Version 3.1.11.0 log created on 04272010_112259
Thanks,
cobo
Hi cobo
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 <== empty this folder
After that.............
Your log now appears to be clean. Congratulations!
To remove all of the tools we used and the files and folders they created do the following:
Delete GooredFix ,gmer, SystemLook, CKScanner ,TDSSKiller and RootRepeal from your desktop.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Here are some things that I think are worth having a look at if you don't already know a bout them:.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/)
Here is a great article by miekiemoes How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
peku006
Hello peku006,
Yes, I understood everything and cleared the above mentioned folder.
Thank you so much for your help again, it was absolutely priceless, especially that you always responded so quickly to all my posts.
Great job, thanks
cobo
As this issue appears to be resolved, this topic is now closed
We are pleased to have been some help in getting you clean.
If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)