PDA

View Full Version : Please Help Remove click.giftload



krontype
2011-04-18, 21:09
Greetings,
I have a click.giftload infection that returns when I restart my computer.I may also have the remnants of hiloti.gen.d and virtumonde.prx infections, both of which I was able to remove with the use of my computers antivirus/spyware programs.
Because of this infection my computer is now having a lot of problems. Random popups will just open in my browser, the svchost.exe process is using a lot of the cpu’s resources, and half of the time I turn it on the computer will boot up and load to the point where it will show my desktop wallpaper then freeze, preventing the taskbar and my start up programs from appearing.
Similarly, when turning off the computer half of the time a similar thing will happen. When it begins the shutdown process all the programs will close and it will stop at the desktop wallpaper requiring me to hold the power button to shut it down. Finally, my computer will show a blue screen, specifically a stop error, if I turn it on with either the secondary internal hard drive installed or a external usb drive installed. So now it will only operate with the main hard drive installed and in order to use a usb drive it can be connected only after windows has loaded.
Your help in getting my computer back to performing normally would greatly be appreciated.



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by pd30 at 11:54:57.21 on Mon 04/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1527 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Sandboxie\SbieSvc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Everything\Everything.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Ditto\Ditto.exe
C:\Program Files\3RVX\3RVX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AnVir Task Manager\AnVir.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\NirSoft\Volumouse\volumouse.exe
C:\Program Files\XYplorer\XYplorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\program files\amp winoff\winoff.exe
C:\Program Files\WinSplit Revolution\WinSplit.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\FindAndRunRobot\FindAndRunRobot.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Stardock\ObjectDockFree\ObjectDock.exe
C:\Program Files\WinSplit Revolution\WinSplitDrvr32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\pd30\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uWindow Title = Service Pack 3 Internet Explorer
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Ditto] c:\program files\ditto\Ditto.exe
uRun: [3RVX] c:\program files\3rvx\3RVX.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnVir Task Manager] "c:\program files\anvir task manager\AnVir.exe" Minimized
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [$Volumouse$] "c:\program files\nirsoft\volumouse\volumouse.exe" /nodlg
uRun: [XYplorer] "c:\program files\xyplorer\XYplorer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AMP WinOFF] c:\program files\amp winoff\winoff.exe -quiet
uRun: [Winsplit] c:\program files\winsplit revolution\WinSplit.exe
uRun: [DriverMax]
uRun: [DriverMax_RESTART]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\fastst~1.lnk - c:\program files\faststone capture\FSCapture.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\findan~1.lnk - c:\program files\findandrunrobot\FindAndRunRobot.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdockfree\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
STS: ObjectDockShlExt Class: {1984d045-52cf-49cd-db77-08f378fea4db} - c:\program files\stardock\objectdockfree\ODMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\pd30\applic~1\mozilla\firefox\profiles\blegkae2.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Print Edit: printedit@DW-dev - %profile%\extensions\printedit@DW-dev
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add Bookmark Here ˛: abhere2@moztw.org - %profile%\extensions\abhere2@moztw.org
FF - Ext: AlertCheck: alertcheck@mike.conley - %profile%\extensions\alertcheck@mike.conley
FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
FF - Ext: Auto Replay for YouTube: {da684c80-6ad7-4a95-80ec-959e8ab082fd} - %profile%\extensions\{da684c80-6ad7-4a95-80ec-959e8ab082fd}
FF - Ext: BarTab: bartap@philikon.de - %profile%\extensions\bartap@philikon.de
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: CheckFox: {BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87} - %profile%\extensions\{BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87}
FF - Ext: CopyAllUrls: {960BE052-4847-422b-9AD6-8631D3D0A607} - %profile%\extensions\{960BE052-4847-422b-9AD6-8631D3D0A607}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Googlepedia: {1ABADB6E-DC4B-11DA-9F70-791A9CD9513E} - %profile%\extensions\{1ABADB6E-DC4B-11DA-9F70-791A9CD9513E}
FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
FF - Ext: CLEO: CLEO@guid.customsoftwareconsult.com - %profile%\extensions\CLEO@guid.customsoftwareconsult.com
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Open With: openwith@darktrojan.net - %profile%\extensions\openwith@darktrojan.net
FF - Ext: Panic Button: {24cea704-946d-11da-a72b-0800200c9a66} - %profile%\extensions\{24cea704-946d-11da-a72b-0800200c9a66}
FF - Ext: Modify Headers: {b749fc7c-e949-447f-926c-3f4eed6accfe} - %profile%\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
FF - Ext: Open Tab Count: tabcount@3greeneggs.com - %profile%\extensions\tabcount@3greeneggs.com
FF - Ext: NumExt: numext@alouche.net - %profile%\extensions\numext@alouche.net
FF - Ext: YouTube to MP3: youtube2mp3@mondayx.de - %profile%\extensions\youtube2mp3@mondayx.de
FF - Ext: QuickNote: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} - %profile%\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Show File Size: {1aE2D8ED-8CDc-5811-8eA1-89F53739A750} - %profile%\extensions\{1aE2D8ED-8CDc-5811-8eA1-89F53739A750}
FF - Ext: Snap Links Plus: snaplinks@snaplinks.mozdev.org - %profile%\extensions\snaplinks@snaplinks.mozdev.org
FF - Ext: Tab Catalog: {049952B3-A745-43bd-8D26-D1349B1ED944} - %profile%\extensions\{049952B3-A745-43bd-8D26-D1349B1ED944}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: YouTube Auto Replay: YouTubeAutoReplay@arikv.com - %profile%\extensions\YouTubeAutoReplay@arikv.com
FF - Ext: TidyRead: tidyread@gmail.com - %profile%\extensions\tidyread@gmail.com
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: µTorrent: {dfdd369d-7bf4-432b-8ad6-e2e7b777116a} - %profile%\extensions\{dfdd369d-7bf4-432b-8ad6-e2e7b777116a}
FF - Ext: MacOSX Theme: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9} - %profile%\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
FF - Ext: DownThemAll! AntiContainer: anticontainer@downthemall.net - %profile%\extensions\anticontainer@downthemall.net
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: XULRunner: {36EA0E67-1ECB-4ECC-9C04-CC1B5261C221} - c:\documents and settings\pd30\local settings\application data\{36EA0E67-1ECB-4ECC-9C04-CC1B5261C221}
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 11:59:21.04 ===============

-----------------------------------------------------------------------
--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

MediaPlex: Tracking cookie (Internet Explorer: pd30) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

shelf life
2011-04-21, 00:42
Hi,

We will get a download to use to start with. Its called Malwarebytes, see below. After you use if post its log along with another DDS log.

Do you know what this .exe is:
C:\Program Files\3RVX\3RVX.exe

Is it something you installed? If malwarebytes removes it then dont worry about it. If malwarebytes dosnt remove it and you dont know what it is then you can do this;

Go here (http://www.bleepingcomputer.com/submit-malware.php?channel=67) and browse for the .exe inside the folder and upload it using the Send file button.
I will check it out.

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

So post the malwarebytes log and a new DDS log also, just the part you paste in not the zip file.

krontype
2011-04-21, 19:28
Hi shelf life,
Thanks for responding to my post. 3RVX is a volume control program.
As you instructed I have run malwarebytes and dds and have attached the logs below.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6412

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/21/2011 10:29:53 AM
mbam-log-2011-04-21 (10-29-53).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 244983
Time elapsed: 1 hour(s), 42 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by pd30 at 12:15:25.98 on Thu 04/21/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1322 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Sandboxie\SbieSvc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Everything\Everything.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Ditto\Ditto.exe
C:\Program Files\3RVX\3RVX.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\NirSoft\Volumouse\volumouse.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinSplit Revolution\WinSplit.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\FindAndRunRobot\FindAndRunRobot.exe
C:\Program Files\Stardock\ObjectDockFree\ObjectDock.exe
C:\Program Files\WinSplit Revolution\WinSplitDrvr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\pd30\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uWindow Title = Service Pack 3 Internet Explorer
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Ditto] c:\program files\ditto\Ditto.exe
uRun: [3RVX] c:\program files\3rvx\3RVX.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnVir Task Manager] "c:\program files\anvir task manager\AnVir.exe" Minimized
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [$Volumouse$] "c:\program files\nirsoft\volumouse\volumouse.exe" /nodlg
uRun: [XYplorer] "c:\program files\xyplorer\XYplorer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AMP WinOFF] c:\program files\amp winoff\winoff.exe -quiet
uRun: [Winsplit] c:\program files\winsplit revolution\WinSplit.exe
uRun: [DriverMax]
uRun: [DriverMax_RESTART]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\fastst~1.lnk - c:\program files\faststone capture\FSCapture.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\findan~1.lnk - c:\program files\findandrunrobot\FindAndRunRobot.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdockfree\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
STS: ObjectDockShlExt Class: {1984d045-52cf-49cd-db77-08f378fea4db} - c:\program files\stardock\objectdockfree\ODMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\pd30\applic~1\mozilla\firefox\profiles\blegkae2.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Print Edit: printedit@DW-dev - %profile%\extensions\printedit@DW-dev
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add Bookmark Here ˛: abhere2@moztw.org - %profile%\extensions\abhere2@moztw.org
FF - Ext: AlertCheck: alertcheck@mike.conley - %profile%\extensions\alertcheck@mike.conley
FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
FF - Ext: Auto Replay for YouTube: {da684c80-6ad7-4a95-80ec-959e8ab082fd} - %profile%\extensions\{da684c80-6ad7-4a95-80ec-959e8ab082fd}
FF - Ext: BarTab: bartap@philikon.de - %profile%\extensions\bartap@philikon.de
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: CheckFox: {BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87} - %profile%\extensions\{BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87}
FF - Ext: CopyAllUrls: {960BE052-4847-422b-9AD6-8631D3D0A607} - %profile%\extensions\{960BE052-4847-422b-9AD6-8631D3D0A607}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Googlepedia: {1ABADB6E-DC4B-11DA-9F70-791A9CD9513E} - %profile%\extensions\{1ABADB6E-DC4B-11DA-9F70-791A9CD9513E}
FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
FF - Ext: CLEO: CLEO@guid.customsoftwareconsult.com - %profile%\extensions\CLEO@guid.customsoftwareconsult.com
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Open With: openwith@darktrojan.net - %profile%\extensions\openwith@darktrojan.net
FF - Ext: Panic Button: {24cea704-946d-11da-a72b-0800200c9a66} - %profile%\extensions\{24cea704-946d-11da-a72b-0800200c9a66}
FF - Ext: Modify Headers: {b749fc7c-e949-447f-926c-3f4eed6accfe} - %profile%\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
FF - Ext: Open Tab Count: tabcount@3greeneggs.com - %profile%\extensions\tabcount@3greeneggs.com
FF - Ext: NumExt: numext@alouche.net - %profile%\extensions\numext@alouche.net
FF - Ext: YouTube to MP3: youtube2mp3@mondayx.de - %profile%\extensions\youtube2mp3@mondayx.de
FF - Ext: QuickNote: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} - %profile%\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Show File Size: {1aE2D8ED-8CDc-5811-8eA1-89F53739A750} - %profile%\extensions\{1aE2D8ED-8CDc-5811-8eA1-89F53739A750}
FF - Ext: Snap Links Plus: snaplinks@snaplinks.mozdev.org - %profile%\extensions\snaplinks@snaplinks.mozdev.org
FF - Ext: Tab Catalog: {049952B3-A745-43bd-8D26-D1349B1ED944} - %profile%\extensions\{049952B3-A745-43bd-8D26-D1349B1ED944}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: YouTube Auto Replay: YouTubeAutoReplay@arikv.com - %profile%\extensions\YouTubeAutoReplay@arikv.com
FF - Ext: TidyRead: tidyread@gmail.com - %profile%\extensions\tidyread@gmail.com
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: µTorrent: {dfdd369d-7bf4-432b-8ad6-e2e7b777116a} - %profile%\extensions\{dfdd369d-7bf4-432b-8ad6-e2e7b777116a}
FF - Ext: MacOSX Theme: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9} - %profile%\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
FF - Ext: DownThemAll! AntiContainer: anticontainer@downthemall.net - %profile%\extensions\anticontainer@downthemall.net
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: XULRunner: {36EA0E67-1ECB-4ECC-9C04-CC1B5261C221} - c:\documents and settings\pd30\local settings\application data\{36EA0E67-1ECB-4ECC-9C04-CC1B5261C221}
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y120L0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T1L0-c
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T1L0-c -> \??\IDE#DiskMaxtor_6Y120L0__________________________YAR41BW0#335946334c464559202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9C127F
IoDeviceObjectType -> ParseProcedure -> 0xad46e160
\Device\Harddisk0\DR0 -> ParseProcedure -> 0xad46e160
user & kernel MBR OK
.
============= FINISH: 12:22:40.18 ===============

shelf life
2011-04-22, 00:54
ok thanks for the info. Are you getting any web page redirection or ending up at strange websites? There are signs of Malware (http://www.malwarevault.com/signs.html) here. Malwarebytes cant look any better.


Click.GiftLoad as spybot calls it is usually associated with other malware, thats why I ask.

krontype
2011-04-22, 20:47
Hi shelf life,
Yes I have a problem with web redirection. After clicking on a link from a google search I am taken to another website which has a web address that is different from the link that I clicked on.

shelf life
2011-04-22, 22:01
ok. We will continue with combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the log in your reply:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

krontype
2011-04-23, 21:26
Hi shelf life,
I ran combofix. The log is below.
-----------------------------------------------------------------------------

ComboFix 11-04-22.03 - pd30 04/23/2011 14:12:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1660 [GMT -4:00]
Running from: c:\documents and settings\pd30\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\desktop.ini
c:\documents and settings\pd30\Application Data\Local
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\2.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\3.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\4.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\5.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\6.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\7.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\about
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\fringe.s03e11.hdtv.xvid-2hd_ns.avi(2).ddr
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\fringe.s03e11.hdtv.xvid-2hd_ns.avi.ddr
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Inception_Trailer_592.divx.ddr
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\rfnpfeifdojx.avi.ddr
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\about
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\fringe.s03e11.hdtv.xvid-2hd_ns(2).avi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\fringe.s03e11.hdtv.xvid-2hd_ns.avi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Inception_Trailer_592.divx
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\rfnpfeifdojx.avi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\The.Cape.2011.S01E04.HDTV.XviD-LOL_ns.avi(2).ddp
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\The.Cape.2011.S01E04.HDTV.XviD-LOL_ns.avi.ddp
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\zpqobnfmbbsm.avi
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\The.Cape.2011.S01E04.HDTV.XviD-LOL_ns.avi(2).ddr
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\The.Cape.2011.S01E04.HDTV.XviD-LOL_ns.avi.ddr
c:\documents and settings\pd30\Application Data\Local\Temp\DDM\Settings\zpqobnfmbbsm.avi.ddr
D:\install.exe
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-18 15:51 . 2011-04-18 15:51 -------- d-----w- c:\program files\ERUNT
2011-04-09 13:02 . 2011-04-09 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-09 13:02 . 2011-04-09 13:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-07 21:21 . 2011-04-07 21:21 -------- d-----w- c:\program files\Common Files\Java
2011-04-07 21:20 . 2011-04-07 21:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-03 14:03 . 2011-04-03 14:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-02 23:10 . 2011-04-02 23:10 -------- d-----w- c:\documents and settings\pd30\Local Settings\Application Data\Innovative Solutions
2011-04-02 23:10 . 2011-04-02 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2011-04-02 23:10 . 2011-04-02 23:10 -------- d-----w- c:\program files\Innovative Solutions
2011-04-02 22:58 . 2011-04-02 22:58 -------- d-----w- c:\windows\system32\NtmsData
2011-04-02 18:04 . 2011-04-02 18:04 -------- d-----w- c:\documents and settings\pd30\Application Data\Malwarebytes
2011-04-02 18:04 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-02 18:04 . 2011-04-02 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-02 18:03 . 2011-04-02 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-02 18:03 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 13:26 . 2011-03-30 13:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-29 19:22 . 2011-03-29 19:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-29 19:14 . 2011-04-09 11:59 0 ----a-w- c:\windows\Hzeyeco.bin
2011-03-29 19:14 . 2011-03-29 19:14 -------- d-----w- c:\documents and settings\pd30\Local Settings\Application Data\{36EA0E67-1ECB-4ECC-9C04-CC1B5261C221}
2011-03-26 18:26 . 2011-03-26 18:26 -------- d-----w- c:\program files\100dof_kidkeylock
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 21:20 . 2010-12-31 19:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 19:35 . 2010-12-31 20:31 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-01-12 405736]
"Ditto"="c:\program files\Ditto\Ditto.exe" [2009-08-16 716800]
"3RVX"="c:\program files\3RVX\3RVX.exe" [2008-10-14 159232]
"AnVir Task Manager"="c:\program files\AnVir Task Manager\AnVir.exe" [2009-11-08 3198688]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2011-02-04 2346496]
"$Volumouse$"="c:\program files\NirSoft\Volumouse\volumouse.exe" [2009-08-05 33280]
"XYplorer"="c:\program files\XYplorer\XYplorer.exe" [2011-04-06 4427776]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-22 2423752]
"AMP WinOFF"="c:\program files\amp winoff\winoff.exe" [2008-11-01 989184]
"Winsplit"="c:\program files\WinSplit Revolution\WinSplit.exe" [2011-03-14 4220928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2006-01-13 61952]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-19 2548552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NetWorx"="c:\program files\NetWorx\networx.exe" [2011-01-28 3049472]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]
.
c:\documents and settings\pd30\Start Menu\Programs\Startup\
FastStone Capture.lnk - c:\program files\FastStone Capture\FSCapture.exe [2007-2-12 1111552]
Find And Run Robot.lnk - c:\program files\FindAndRunRobot\FindAndRunRobot.exe [2010-12-27 4404736]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDockFree\ObjectDock.exe [2010-10-6 3768176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\stickies\stickies.exe [2010-12-27 1101824]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files\Stardock\ObjectDockFree\ODMenu.dll" [2010-10-04 511344]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-12-14 12:13 7095344 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Daum\\PotPlayer\\PotPlayerMini.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [1/12/2006 9:26 PM 26112]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 12:55 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 8:00 PM 27576]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [12/31/2010 4:31 PM 38976]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/26/2010 10:49 PM 108289]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 SMCSMCWirelessUSB(SMC2662W)(R);SMC SMCWirelessUSB(SMC2662W)(R) Service for SMC EZ Connect Wireless USB Adapter(SMC2662W);c:\windows\system32\drivers\Nets6251.sys [1/17/2003 12:58 PM 93312]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2077806209-725345543-1003Core.job
- c:\documents and settings\pd30\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-09 03:14]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2077806209-725345543-1003UA.job
- c:\documents and settings\pd30\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-09 03:14]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\pd30\Application Data\Mozilla\Firefox\Profiles\blegkae2.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Print Edit: printedit@DW-dev - %profile%\extensions\printedit@DW-dev
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add Bookmark Here ˛: abhere2@moztw.org - %profile%\extensions\abhere2@moztw.org
FF - Ext: AlertCheck: alertcheck@mike.conley - %profile%\extensions\alertcheck@mike.conley
FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
FF - Ext: Auto Replay for YouTube: {da684c80-6ad7-4a95-80ec-959e8ab082fd} - %profile%\extensions\{da684c80-6ad7-4a95-80ec-959e8ab082fd}
FF - Ext: BarTab: bartap@philikon.de - %profile%\extensions\bartap@philikon.de
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: CheckFox: {BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87} - %profile%\extensions\{BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87}
FF - Ext: CopyAllUrls: {960BE052-4847-422b-9AD6-8631D3D0A607} - %profile%\extensions\{960BE052-4847-422b-9AD6-8631D3D0A607}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Googlepedia: {1ABADB6E-DC4B-11DA-9F70-791A9CD9513E} - %profile%\extensions\{1ABADB6E-DC4B-11DA-9F70-791A9CD9513E}
FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
FF - Ext: CLEO: CLEO@guid.customsoftwareconsult.com - %profile%\extensions\CLEO@guid.customsoftwareconsult.com
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Open With: openwith@darktrojan.net - %profile%\extensions\openwith@darktrojan.net
FF - Ext: Panic Button: {24cea704-946d-11da-a72b-0800200c9a66} - %profile%\extensions\{24cea704-946d-11da-a72b-0800200c9a66}
FF - Ext: Modify Headers: {b749fc7c-e949-447f-926c-3f4eed6accfe} - %profile%\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
FF - Ext: Open Tab Count: tabcount@3greeneggs.com - %profile%\extensions\tabcount@3greeneggs.com
FF - Ext: NumExt: numext@alouche.net - %profile%\extensions\numext@alouche.net
FF - Ext: YouTube to MP3: youtube2mp3@mondayx.de - %profile%\extensions\youtube2mp3@mondayx.de
FF - Ext: QuickNote: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} - %profile%\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Show File Size: {1aE2D8ED-8CDc-5811-8eA1-89F53739A750} - %profile%\extensions\{1aE2D8ED-8CDc-5811-8eA1-89F53739A750}
FF - Ext: Snap Links Plus: snaplinks@snaplinks.mozdev.org - %profile%\extensions\snaplinks@snaplinks.mozdev.org
FF - Ext: Tab Catalog: {049952B3-A745-43bd-8D26-D1349B1ED944} - %profile%\extensions\{049952B3-A745-43bd-8D26-D1349B1ED944}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: YouTube Auto Replay: YouTubeAutoReplay@arikv.com - %profile%\extensions\YouTubeAutoReplay@arikv.com
FF - Ext: TidyRead: tidyread@gmail.com - %profile%\extensions\tidyread@gmail.com
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: µTorrent: {dfdd369d-7bf4-432b-8ad6-e2e7b777116a} - %profile%\extensions\{dfdd369d-7bf4-432b-8ad6-e2e7b777116a}
FF - Ext: MacOSX Theme: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9} - %profile%\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
FF - Ext: DownThemAll! AntiContainer: anticontainer@downthemall.net - %profile%\extensions\anticontainer@downthemall.net
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: XULRunner: {36EA0E67-1ECB-4ECC-9C04-CC1B5261C221} - c:\documents and settings\pd30\Local Settings\Application Data\{36EA0E67-1ECB-4ECC-9C04-CC1B5261C221}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DriverMax - (no file)
HKCU-Run-DriverMax_RESTART - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 14:23
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\guard32.dll
.
Completion time: 2011-04-23 14:25:53
ComboFix-quarantined-files.txt 2011-04-23 18:25
.
Pre-Run: 22,574,682,112 bytes free
Post-Run: 24,305,143,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 98E2F747EE6A5890D943F4CA78D31CDF

shelf life
2011-04-23, 23:07
hi,

Thanks for the info. Combofix removed a rootkit. Some info:

You had a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.

The best source for information on how to do this would be the computer manufacturers website.

Rescan with DDS again and post a new log from it please.

krontype
2011-04-24, 00:41
Hi shelf life,
Wow. I'm not sure how I got infected. I am very safe when it comes to my internet activities.
My computer was purchased last December as a used custom built one. I don't have any of the original disks but I will reformat the hard drive and reinstall windows as soon as I purchase my new computer.

The new dds log is below.

--------------------------------------------------------------------------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by pd30 at 17:13:45.00 on Sat 04/23/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1504 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Sandboxie\SbieSvc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Stardock\ObjectDockFree\ObjectDock.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Everything\Everything.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\pd30\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Ditto] c:\program files\ditto\Ditto.exe
uRun: [3RVX] c:\program files\3rvx\3RVX.exe
uRun: [AnVir Task Manager] "c:\program files\anvir task manager\AnVir.exe" Minimized
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [$Volumouse$] "c:\program files\nirsoft\volumouse\volumouse.exe" /nodlg
uRun: [XYplorer] "c:\program files\xyplorer\XYplorer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AMP WinOFF] c:\program files\amp winoff\winoff.exe -quiet
uRun: [Winsplit] c:\program files\winsplit revolution\WinSplit.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\fastst~1.lnk - c:\program files\faststone capture\FSCapture.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\findan~1.lnk - c:\program files\findandrunrobot\FindAndRunRobot.exe
StartupFolder: c:\docume~1\pd30\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdockfree\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
STS: ObjectDockShlExt Class: {1984d045-52cf-49cd-db77-08f378fea4db} - c:\program files\stardock\objectdockfree\ODMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\pd30\applic~1\mozilla\firefox\profiles\blegkae2.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\pd30\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Print Edit: printedit@DW-dev - %profile%\extensions\printedit@DW-dev
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add Bookmark Here ˛: abhere2@moztw.org - %profile%\extensions\abhere2@moztw.org
FF - Ext: AlertCheck: alertcheck@mike.conley - %profile%\extensions\alertcheck@mike.conley
FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
FF - Ext: Auto Replay for YouTube: {da684c80-6ad7-4a95-80ec-959e8ab082fd} - %profile%\extensions\{da684c80-6ad7-4a95-80ec-959e8ab082fd}
FF - Ext: BarTab: bartap@philikon.de - %profile%\extensions\bartap@philikon.de
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: CheckFox: {BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87} - %profile%\extensions\{BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87}
FF - Ext: CopyAllUrls: {960BE052-4847-422b-9AD6-8631D3D0A607} - %profile%\extensions\{960BE052-4847-422b-9AD6-8631D3D0A607}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Googlepedia: {1ABADB6E-DC4B-11DA-9F70-791A9CD9513E} - %profile%\extensions\{1ABADB6E-DC4B-11DA-9F70-791A9CD9513E}
FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
FF - Ext: CLEO: CLEO@guid.customsoftwareconsult.com - %profile%\extensions\CLEO@guid.customsoftwareconsult.com
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Open With: openwith@darktrojan.net - %profile%\extensions\openwith@darktrojan.net
FF - Ext: Panic Button: {24cea704-946d-11da-a72b-0800200c9a66} - %profile%\extensions\{24cea704-946d-11da-a72b-0800200c9a66}
FF - Ext: Modify Headers: {b749fc7c-e949-447f-926c-3f4eed6accfe} - %profile%\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
FF - Ext: Open Tab Count: tabcount@3greeneggs.com - %profile%\extensions\tabcount@3greeneggs.com
FF - Ext: NumExt: numext@alouche.net - %profile%\extensions\numext@alouche.net
FF - Ext: YouTube to MP3: youtube2mp3@mondayx.de - %profile%\extensions\youtube2mp3@mondayx.de
FF - Ext: QuickNote: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} - %profile%\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Show File Size: {1aE2D8ED-8CDc-5811-8eA1-89F53739A750} - %profile%\extensions\{1aE2D8ED-8CDc-5811-8eA1-89F53739A750}
FF - Ext: Snap Links Plus: snaplinks@snaplinks.mozdev.org - %profile%\extensions\snaplinks@snaplinks.mozdev.org
FF - Ext: Tab Catalog: {049952B3-A745-43bd-8D26-D1349B1ED944} - %profile%\extensions\{049952B3-A745-43bd-8D26-D1349B1ED944}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: YouTube Auto Replay: YouTubeAutoReplay@arikv.com - %profile%\extensions\YouTubeAutoReplay@arikv.com
FF - Ext: TidyRead: tidyread@gmail.com - %profile%\extensions\tidyread@gmail.com
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: µTorrent: {dfdd369d-7bf4-432b-8ad6-e2e7b777116a} - %profile%\extensions\{dfdd369d-7bf4-432b-8ad6-e2e7b777116a}
FF - Ext: MacOSX Theme: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9} - %profile%\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
FF - Ext: DownThemAll! AntiContainer: anticontainer@downthemall.net - %profile%\extensions\anticontainer@downthemall.net
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: XULRunner: {36EA0E67-1ECB-4ECC-9C04-CC1B5261C221} - c:\documents and settings\pd30\local settings\application data\{36EA0E67-1ECB-4ECC-9C04-CC1B5261C221}
.
============= SERVICES / DRIVERS ===============
.
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2006-1-12 26112]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-26 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 27576]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-12-31 38976]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-26 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-26 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-26 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1803224]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-1-12 125672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 SMCSMCWirelessUSB(SMC2662W)(R);SMC SMCWirelessUSB(SMC2662W)(R) Service for SMC EZ Connect Wireless USB Adapter(SMC2662W);c:\windows\system32\drivers\Nets6251.sys [2003-1-17 93312]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-23 21:08:38 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-23 21:08:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-04-23 21:08:20 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-04-23 21:08:20 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-04-23 21:08:20 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-04-23 21:08:20 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-04-23 21:08:20 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-04-23 18:05:59 -------- d-sha-r- C:\cmdcons
2011-04-23 18:03:20 98816 ----a-w- c:\windows\sed.exe
2011-04-23 18:03:20 89088 ----a-w- c:\windows\MBR.exe
2011-04-23 18:03:20 256512 ----a-w- c:\windows\PEV.exe
2011-04-23 18:03:20 161792 ----a-w- c:\windows\SWREG.exe
2011-04-23 17:16:50 -------- d-----w- c:\windows\setup.pss
2011-04-09 13:02:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-09 13:02:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-07 21:20:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 23:10:29 -------- d-----w- c:\docume~1\pd30\locals~1\applic~1\Innovative Solutions
2011-04-02 23:10:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Innovative Solutions
2011-04-02 23:10:23 -------- d-----w- c:\program files\Innovative Solutions
2011-04-02 22:58:31 -------- d-----w- c:\windows\system32\NtmsData
2011-04-02 18:04:16 -------- d-----w- c:\docume~1\pd30\applic~1\Malwarebytes
2011-04-02 18:04:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-02 18:04:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-02 18:03:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-02 18:03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 19:14:18 0 ----a-w- c:\windows\Hzeyeco.bin
2011-03-29 19:14:16 -------- d-----w- c:\docume~1\pd30\locals~1\applic~1\{36EA0E67-1ECB-4ECC-9C04-CC1B5261C221}
2011-03-26 18:26:29 -------- d-----w- c:\program files\100dof_kidkeylock
.
==================== Find3M ====================
.
2011-04-07 21:20:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 17:19:47.51 ===============

shelf life
2011-04-24, 01:27
Just for good measure you can run TDSSkiller also.

Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report


I am very safe
Just visiting a malicious website can be good enough to get malware, requires no interaction on your part.

Some (technical) reading if your interested in it;
Link 1 (http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4)
Link 2 (https://threatpost.com/en_us/blogs/tdl4-rootkit-bypasses-windows-code-signing-protection-111610)

krontype
2011-04-24, 03:34
Hi shelf life,
Thanks for the information links, and I also looked at the links underneath your reply, I'll use this knowledge to help protect myself in the future.

The TDSSkiller log is below.
----------------------------------------------------------------------------

2011/04/23 20:29:04.0250 3424 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/23 20:29:04.0265 3424 ================================================================================
2011/04/23 20:29:04.0265 3424 SystemInfo:
2011/04/23 20:29:04.0265 3424
2011/04/23 20:29:04.0265 3424 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/23 20:29:04.0265 3424 Product type: Workstation
2011/04/23 20:29:04.0265 3424 ComputerName: A1AEA18214A141A
2011/04/23 20:29:04.0265 3424 UserName: pd30
2011/04/23 20:29:04.0265 3424 Windows directory: C:\WINDOWS
2011/04/23 20:29:04.0265 3424 System windows directory: C:\WINDOWS
2011/04/23 20:29:04.0265 3424 Processor architecture: Intel x86
2011/04/23 20:29:04.0265 3424 Number of processors: 2
2011/04/23 20:29:04.0265 3424 Page size: 0x1000
2011/04/23 20:29:04.0265 3424 Boot type: Normal boot
2011/04/23 20:29:04.0265 3424 ================================================================================
2011/04/23 20:29:04.0562 3424 Initialize success
2011/04/23 20:29:47.0093 3580 ================================================================================
2011/04/23 20:29:47.0093 3580 Scan started
2011/04/23 20:29:47.0093 3580 Mode: Manual;
2011/04/23 20:29:47.0093 3580 ================================================================================
2011/04/23 20:29:47.0578 3580 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/23 20:29:47.0687 3580 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/23 20:29:47.0812 3580 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/23 20:29:47.0906 3580 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2011/04/23 20:29:48.0234 3580 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/23 20:29:48.0343 3580 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/23 20:29:48.0531 3580 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/23 20:29:48.0609 3580 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/23 20:29:48.0703 3580 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/04/23 20:29:48.0812 3580 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/04/23 20:29:48.0937 3580 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/04/23 20:29:49.0062 3580 b57w2k (e5359a62ef537c4c25e364029272b439) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/23 20:29:49.0140 3580 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/23 20:29:49.0250 3580 CA561 (1fa7ff7ba22769b414aee5965fdb05b4) C:\WINDOWS\system32\Drivers\SPCA561.SYS
2011/04/23 20:29:49.0453 3580 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/23 20:29:49.0562 3580 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/23 20:29:49.0703 3580 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/23 20:29:49.0796 3580 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/23 20:29:49.0875 3580 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/23 20:29:50.0031 3580 cmdGuard (dd530ee7d9efbb0ec42aebe7226b8a93) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2011/04/23 20:29:50.0140 3580 cmdHlp (07cbbe993ed08a52dafac1e6cf27b6a5) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2011/04/23 20:29:50.0500 3580 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/23 20:29:50.0640 3580 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/23 20:29:50.0781 3580 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/23 20:29:50.0890 3580 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/23 20:29:51.0015 3580 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/23 20:29:51.0140 3580 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/23 20:29:51.0250 3580 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/23 20:29:51.0359 3580 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/23 20:29:51.0468 3580 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/23 20:29:51.0593 3580 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/23 20:29:51.0687 3580 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/23 20:29:51.0781 3580 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/23 20:29:51.0890 3580 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/23 20:29:52.0000 3580 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/23 20:29:52.0093 3580 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2011/04/23 20:29:52.0203 3580 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/23 20:29:52.0343 3580 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/23 20:29:52.0468 3580 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/23 20:29:52.0625 3580 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/23 20:29:52.0734 3580 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/23 20:29:52.0875 3580 Inspect (8154a2c13b72b08db11157673c60c3eb) C:\WINDOWS\system32\DRIVERS\inspect.sys
2011/04/23 20:29:53.0000 3580 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/23 20:29:53.0093 3580 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/23 20:29:53.0187 3580 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/23 20:29:53.0281 3580 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/23 20:29:53.0406 3580 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/23 20:29:53.0515 3580 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/23 20:29:53.0640 3580 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/23 20:29:53.0734 3580 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/23 20:29:53.0843 3580 iteraid (979836fc6dc05218b4e93e5ccea5654b) C:\WINDOWS\system32\DRIVERS\iteraid.sys
2011/04/23 20:29:53.0953 3580 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/23 20:29:54.0078 3580 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/23 20:29:54.0171 3580 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/23 20:29:54.0296 3580 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/23 20:29:54.0406 3580 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/23 20:29:54.0500 3580 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/23 20:29:54.0593 3580 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/23 20:29:54.0671 3580 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/23 20:29:54.0781 3580 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/23 20:29:54.0906 3580 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/23 20:29:55.0031 3580 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/23 20:29:55.0125 3580 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/23 20:29:55.0218 3580 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/23 20:29:55.0312 3580 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/23 20:29:55.0406 3580 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/23 20:29:55.0515 3580 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/23 20:29:55.0609 3580 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/23 20:29:55.0734 3580 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/23 20:29:55.0843 3580 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/23 20:29:55.0937 3580 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/23 20:29:56.0031 3580 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/23 20:29:56.0171 3580 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/23 20:29:56.0281 3580 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/23 20:29:56.0390 3580 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/23 20:29:56.0500 3580 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/23 20:29:56.0625 3580 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/23 20:29:56.0781 3580 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/23 20:29:56.0937 3580 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/23 20:29:57.0109 3580 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/23 20:29:57.0250 3580 nv (6f6f92603a4311a466f0241e8ef951fb) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/23 20:29:57.0468 3580 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/23 20:29:57.0562 3580 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/23 20:29:57.0687 3580 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/23 20:29:57.0765 3580 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/23 20:29:57.0843 3580 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/23 20:29:57.0937 3580 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/23 20:29:58.0062 3580 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/23 20:29:58.0156 3580 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/23 20:29:58.0546 3580 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/23 20:29:58.0640 3580 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/23 20:29:58.0734 3580 PSSDK42 (c8eb36910d3bd582891977e80925e21e) C:\WINDOWS\system32\Drivers\pssdk42.sys
2011/04/23 20:29:58.0828 3580 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/23 20:29:58.0921 3580 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/23 20:29:59.0140 3580 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/23 20:29:59.0234 3580 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/23 20:29:59.0328 3580 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/23 20:29:59.0437 3580 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/23 20:29:59.0531 3580 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/23 20:29:59.0625 3580 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/23 20:29:59.0734 3580 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/23 20:29:59.0828 3580 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/23 20:29:59.0937 3580 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/23 20:30:00.0031 3580 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/04/23 20:30:00.0093 3580 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/04/23 20:30:00.0171 3580 SbieDrv (848c7a79dae9abccae1952ba561729f8) C:\Program Files\Sandboxie\SbieDrv.sys
2011/04/23 20:30:00.0296 3580 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/23 20:30:00.0421 3580 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/23 20:30:00.0500 3580 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/23 20:30:00.0609 3580 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/23 20:30:00.0703 3580 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/23 20:30:00.0796 3580 SMCSMCWirelessUSB(SMC2662W)(R) (7d4b6dca2435b8d3e1cbcfc600f63319) C:\WINDOWS\system32\DRIVERS\Nets6251.sys
2011/04/23 20:30:00.0921 3580 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/23 20:30:00.0984 3580 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/23 20:30:01.0062 3580 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/23 20:30:01.0203 3580 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/04/23 20:30:01.0296 3580 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/23 20:30:01.0390 3580 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/23 20:30:01.0500 3580 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/23 20:30:01.0703 3580 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/23 20:30:01.0765 3580 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/23 20:30:01.0875 3580 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/23 20:30:01.0937 3580 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/23 20:30:02.0000 3580 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/23 20:30:02.0093 3580 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/23 20:30:02.0203 3580 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/23 20:30:02.0343 3580 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/23 20:30:02.0484 3580 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/23 20:30:02.0531 3580 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/23 20:30:02.0578 3580 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/23 20:30:02.0609 3580 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/23 20:30:02.0687 3580 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/23 20:30:02.0765 3580 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/23 20:30:02.0828 3580 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/23 20:30:02.0937 3580 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/23 20:30:03.0015 3580 ================================================================================
2011/04/23 20:30:03.0015 3580 Scan finished
2011/04/23 20:30:03.0015 3580 ================================================================================

shelf life
2011-04-24, 04:24
hi,

See if you can find this .bin file in the system 32 directory, if so you can delete it. Then we can call it quits. To help show all files you can do this:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

c:\windows\Hzeyeco.bin

krontype
2011-04-24, 18:12
Hi shelf life,
I went to the location c:\windows\Hzeyeco.bin and deleted the hzeyeco.bin file.
Since the bootkit infection has been removed my computer is able to boot up with the secondary hard drive installed and my external usb drive connected.
Also I am no longer getting redirected to advertisements when browsing.
Shelf life thank you very much for your help. It is greatly appreciated.

shelf life
2011-04-24, 19:27
hi,

Your welcome. You can remove combofix like this;
start>run and type in: combofix /uninstall
click ok or enter
note the space after the x and before the /

You can delete the tdsskiller icon and logs.
Note the free version of malwarebytes must be updated manually and a scan started manually.

The how and why of making a new restore point:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.



To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last if all is good;

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself. How to harden FireFox. (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file? A file can be named anything, be nothing but malware or have malware bundled in it.


More info/tips with pictures in links below.

Happy Safe Surfing.

krontype
2011-04-24, 22:27
Hi shelf life,
I uninstalled combofix, deleted tdsskiller and logs and followed your instructions on creating a new restore point.I will make a note of the 10 tips. Again thanks a lot for all your help.