PDA

View Full Version : Yet another Google/Yahoo search redirect



EastPoint
2011-09-07, 04:35
Whenever I try to search for something, when I click on results, it runs it through "excellentsearchserver.com." Whatever it is, it has also shut down Microsoft Security Essentials. When I try to get it started, it gives me an error code and says it cannot start. Windows Firewall has also started flagging all sorts of stuff. I read the "before you post" thread, and here are my DDS and Spybot logs. Thanks in advance for the assistance. I have absolutely no clue how I got this, whatever it is.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Owner at 20:19:35 on 2011-09-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.870 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\2156546587:3837097343.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Auction Sentry\AuctionSentry.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Auction Sentry\AuctionSentry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [SpybotDeletingB1453] command.com /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD7749] cmd.exe /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB916] command.com /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD6728] cmd.exe /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB5224] command.com /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD5350] cmd.exe /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB946] command.com /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD9358] cmd.exe /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB6286] command.com /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD4652] cmd.exe /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB6738] command.com /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD181] cmd.exe /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB6267] command.com /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD306] cmd.exe /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB7139] command.com /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD2241] cmd.exe /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [SpybotDeletingA5763] command.com /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC9290] cmd.exe /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingA2169] command.com /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC3365] cmd.exe /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingA6262] command.com /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC7076] cmd.exe /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingA5425] command.com /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC3206] cmd.exe /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\auctio~2.lnk - c:\program files\auction sentry\AuctionSentry.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BF35280A-299A-4AED-8A2B-34E08AD607E0} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\w0zq0ap0.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Beef Taco (Targeted Advertising Cookie Opt-Out): http://forums.spybot.info/misc.php?do=email_dev&email=am9obkB2ZWx2ZXRjYWNoZS5vcmc= - %profile%\extensions\john@velvetcache.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]
R1 MpKsl3562c781;MpKsl3562c781;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d73f0047-84b3-4c69-a035-dfb06c68f28d}\MpKsl3562c781.sys [2011-9-6 28752]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-8-29 876288]
RUnknown 12726213;12726213; [x]
RUnknown 2540268drv;2540268drv; [x]
RUnknown 44758743;44758743; [x]
S1 MpKsl22226c78;MpKsl22226c78;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\mpksl22226c78.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\MpKsl22226c78.sys [?]
S1 MpKsl3d641bee;MpKsl3d641bee;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b459db97-b8b8-4aac-9462-c49cb9e72f8e}\mpksl3d641bee.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b459db97-b8b8-4aac-9462-c49cb9e72f8e}\MpKsl3d641bee.sys [?]
S1 MpKsl68b0bf29;MpKsl68b0bf29;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{58748ece-7e4f-4b0a-91b7-8d9be2025a58}\mpksl68b0bf29.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{58748ece-7e4f-4b0a-91b7-8d9be2025a58}\MpKsl68b0bf29.sys [?]
S1 MpKsl69d2afe1;MpKsl69d2afe1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ac9aee1-5d28-4142-a004-5d250ee3c4ce}\mpksl69d2afe1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ac9aee1-5d28-4142-a004-5d250ee3c4ce}\MpKsl69d2afe1.sys [?]
S1 MpKsl7313c79e;MpKsl7313c79e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ce840b-4a02-4d7c-9af0-c3e331fc602e}\mpksl7313c79e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ce840b-4a02-4d7c-9af0-c3e331fc602e}\MpKsl7313c79e.sys [?]
S1 MpKsl823ebdca;MpKsl823ebdca;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{11e5b5f5-7888-4145-b901-c565f5cca65d}\mpksl823ebdca.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{11e5b5f5-7888-4145-b901-c565f5cca65d}\MpKsl823ebdca.sys [?]
S1 MpKsl8cd45f5f;MpKsl8cd45f5f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\mpksl8cd45f5f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\MpKsl8cd45f5f.sys [?]
S1 MpKsl999a55f6;MpKsl999a55f6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{463db425-8dfd-4bfc-ab80-adaa78c8ef6f}\mpksl999a55f6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{463db425-8dfd-4bfc-ab80-adaa78c8ef6f}\MpKsl999a55f6.sys [?]
S1 MpKslbc9abae4;MpKslbc9abae4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e9079ac-8e4e-45d6-b974-7173776979ae}\mpkslbc9abae4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e9079ac-8e4e-45d6-b974-7173776979ae}\MpKslbc9abae4.sys [?]
S1 MpKslbe29ffa4;MpKslbe29ffa4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2874cf-83dc-42f8-b7ad-c7bdaa9fa790}\mpkslbe29ffa4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2874cf-83dc-42f8-b7ad-c7bdaa9fa790}\MpKslbe29ffa4.sys [?]
S1 MpKslf3d7030f;MpKslf3d7030f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a05109c1-3d74-4558-85c9-1fbf5fc92b61}\mpkslf3d7030f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a05109c1-3d74-4558-85c9-1fbf5fc92b61}\MpKslf3d7030f.sys [?]
S1 MpKslf62857d4;MpKslf62857d4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eacab5fd-ad09-4d62-944d-8b3f8039c64f}\mpkslf62857d4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eacab5fd-ad09-4d62-944d-8b3f8039c64f}\MpKslf62857d4.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-07 00:41:01 -------- d-----w- c:\documents and settings\owner\local settings\application data\PCHealth
2011-09-06 12:50:14 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d73f0047-84b3-4c69-a035-dfb06c68f28d}\MpKsl3562c781.sys
2011-09-05 13:36:32 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d73f0047-84b3-4c69-a035-dfb06c68f28d}\mpengine.dll
2011-09-04 03:25:28 -------- d-----w- c:\program files\iPod
2011-09-04 03:25:11 -------- d-----w- c:\program files\iTunes
2011-08-17 04:45:44 -------- d-----w- c:\windows\Logs
2011-08-17 04:01:02 -------- d-----w- c:\program files\common files\Steam
2011-08-17 04:00:59 -------- d-----w- c:\program files\Steam
2011-08-10 12:36:27 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 12:36:15 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 00:05:08 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
.
==================== Find3M ====================
.
2011-08-25 10:37:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 16:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-11 02:41:28 1080 ----a-w- c:\windows\AUTOLNCH.REG
.
============= FINISH: 20:19:53.37 ===============


Spybot Search and Destroy results:
Win32.AVKillsvc.e: [SBI $ACD9F3FA] Data (File, fixed)
C:\WINDOWS\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355918
Properties.filedatetext=2011-09-06 19:38:38

Win32.AVKillsvc.e: [SBI $A106152C] Data (File, fixed)
C:\Documents and Settings\LocalService\Local Settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355926
Properties.filedatetext=2011-09-06 19:38:45

Win32.AVKillsvc.e: [SBI $A106152C] Data (File, fixed)
C:\Documents and Settings\NetworkService\Local Settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355926
Properties.filedatetext=2011-09-06 19:38:46

Win32.AVKillsvc.e: [SBI $A106152C] Data (File, fixed)
C:\Documents and Settings\Owner\Local Settings\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355925
Properties.filedatetext=2011-09-06 19:38:44


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-09-06 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-08-29 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-08-31 Includes\Malware.sbi (*)
2011-08-30 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-06-14 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-06-20 Includes\Trojans.sbi (*)
2011-08-29 Includes\TrojansC-02.sbi (*)
2011-08-09 Includes\TrojansC-03.sbi (*)
2011-08-30 Includes\TrojansC-04.sbi (*)
2011-08-29 Includes\TrojansC-05.sbi (*)
2011-08-23 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Well, now my computer won't go past a startup screen, whether or not I restart in safe mode. It just gets stuck there and won't go any further. I'm using my old computer right now.

ken545
2011-09-11, 14:09
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Your infected with the Zero Access Rootkit :sad:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

EastPoint
2011-09-11, 17:43
Currently my computer will not start up past the Windows loading screen, whether or not I restart in safe mode.

ken545
2011-09-11, 18:29
Try the LAST KNOWN GOOD CONFIGURATION

To Access Last Known Good

Go to Start> Shut off your Computer> Restart
Or if the computer is off press the power button
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

EastPoint
2011-09-11, 19:33
When I load in the Last Known Good configuration, it just loads the Windows XP screen, then goes to a black screen with the mouse pointer on it, and doesn't go faster than that. If I load in Safe Mode it does the same thing. I can't get it past that screen.

ken545
2011-09-11, 19:39
Well, the ZERO Access Rootkit is a very serious infection, its capable of all sorts of things from stealing passwords and bank account numbers and the list goes on, the best thing to do is to format and reinstall windows then you guaranteed of a nice safe and reliable computer.

If you have not done so already you need to access a known clean computer and go online and change all your passwords for any banking or online shopping sites you may use.

Do you have your windows CD or the Recovery CD that came with your system ?

EastPoint
2011-09-11, 19:44
I have a Windows Recovery Disk. Is there any way to do things without losing all the files on that computer?

ken545
2011-09-11, 19:54
Well, possibly , but not sure how serious windows is damaged. I have been at this for many years and I cant stress enough to my friends and people that I work with to back up there data on a regular basis, and its not rocket science, a $30 usb thumb drive would save it all, but people just dont seem to have the time to do this, they always wait until its to late and disaster has struck.

I would like you to post here at this windows forum, there more in tune to helping you with your problem, you can link them to this thread so they can see what we have done and make them aware of the rootkit infection.

http://forums.whatthetech.com/index.php?showforum=119

Good luck,
Ken :)

EastPoint
2011-09-11, 20:06
I have posted on that forum. A friend of mine suggested a SATA to USB adaptor to pull data off the hard drive. Once I do that, if I format and reinstall, then is the rootkit gone?

ken545
2011-09-11, 20:22
Most likely, as long as you do a complete format and re install of windows , not just a windows repair. This rootkit is fairly new so we are not sure right now of all its capable of, what I would do is after you pull your data and do a re-install, come back to this forum and post a new DDS log for me to look at. Threads are closed after 3 days of no replies but I will hold this one open for you, if in the event its closed you can PM me or a moderator ( TASHI ) to reopen it for you.

EastPoint
2011-09-20, 17:22
Thanks for the help. I pulled all my files off and reinstalled Windows XP, and things appear to be fine. Here is my log file from DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Ben at 9:18:57 on 2011-09-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.693 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Auction Sentry\AuctionSentry.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Auction Sentry\AuctionSentry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\auctio~1.lnk - c:\program files\auction sentry\AuctionSentry.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A089FB6D-B4EB-4BF8-A54E-96103912FA8C} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ben\application data\mozilla\firefox\profiles\4awb145r.default\
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]
R1 AsrAppCharger;AsrAppCharger;c:\windows\system32\drivers\AsrAppCharger.sys [2011-9-18 13832]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AMDRAIDXpert;AMD RAIDXpert;c:\program files\amd\raidxpert\jetty\extra\win32\Wrapper.exe [2003-9-29 110592]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-1 5265248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-9-18 101392]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-9-19 2127728]
S3 AMBFilt;AMBFilt;c:\windows\system32\drivers\Ambfilt.sys [2011-9-19 1656960]
S3 cpudrv;cpudrv;\??\c:\program files\systemrequirementslab\cpudrv.sys --> c:\program files\systemrequirementslab\cpudrv.sys [?]
.
=============== Created Last 30 ================
.
2011-09-20 02:27:00 -------- d-----w- c:\program files\AMD APP
2011-09-20 02:25:44 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-09-20 02:25:44 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-09-20 02:25:44 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-09-20 02:25:44 5697536 ----a-w- c:\windows\system32\aticaldd.dll
2011-09-20 02:25:44 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-09-20 02:25:44 18440192 ----a-w- c:\windows\system32\atioglxx.dll
2011-09-20 02:25:44 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-09-20 02:25:44 118784 ----a-w- c:\windows\system32\atibtmon.exe
2011-09-20 02:08:32 8704 ----a-r- c:\windows\system32\viahdcpl.cpl
2011-09-20 02:08:25 2127728 ----a-r- c:\windows\system32\drivers\viahduaa.sys
2011-09-20 02:08:25 1656960 ----a-r- c:\windows\system32\drivers\Ambfilt.sys
2011-09-20 02:08:25 1389056 ----a-r- c:\windows\system32\drivers\Monfilt.sys
2011-09-20 02:08:06 331184 ------w- c:\windows\system32\difxapi.dll
2011-09-20 02:08:06 -------- d-----w- c:\program files\VIA
2011-09-20 01:18:16 -------- d-----w- c:\documents and settings\ben\local settings\application data\PCHealth
2011-09-19 23:44:45 -------- d-----w- c:\windows\system32\appmgmt
2011-09-19 23:41:46 -------- d-----w- c:\documents and settings\ben\application data\3v
2011-09-19 23:36:57 -------- d-----w- c:\documents and settings\all users\application data\PC Drivers HeadQuarters
2011-09-19 23:35:51 -------- d-----w- c:\program files\Realtek AC97
2011-09-19 23:28:11 577536 ----a-w- c:\windows\soundman.exe
2011-09-19 23:28:11 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2011-09-19 23:28:11 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2011-09-19 23:28:10 18804736 ----a-w- c:\windows\system32\alsndmgr.cpl
2011-09-19 23:28:10 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2011-09-19 23:27:41 315392 ----a-w- c:\windows\alcupd.exe
2011-09-19 23:27:41 217088 ----a-w- c:\windows\alcrmv.exe
2011-09-19 23:16:34 -------- d-----w- c:\documents and settings\ben\application data\ElevatedDiagnostics
2011-09-19 04:35:10 -------- d-----w- c:\windows\system32\XPSViewer
2011-09-19 04:34:47 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-09-19 04:34:40 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-09-19 04:34:40 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-09-19 04:34:40 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-09-19 04:34:40 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-09-19 04:34:40 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-09-19 04:34:40 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-09-19 04:34:40 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-09-19 04:34:40 117760 ------w- c:\windows\system32\prntvpt.dll
2011-09-19 04:34:40 -------- d-----w- C:\61d41c41128e6e062393
2011-09-19 03:52:35 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-09-19 01:38:06 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-09-19 01:37:39 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-09-19 01:37:35 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-09-19 01:37:02 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-19 01:37:01 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-19 01:35:46 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-19 01:35:37 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-09-18 15:18:17 101392 ----a-w- c:\windows\system32\drivers\AtihdXP3.sys
2011-09-18 15:17:59 -------- d-----w- c:\program files\ATI
2011-09-18 15:17:25 -------- d-----w- C:\ATI
2011-09-18 14:43:15 -------- d-----w- c:\program files\Auction Sentry
2011-09-18 14:05:59 -------- d-----w- c:\documents and settings\ben\local settings\application data\ATI
2011-09-18 13:53:51 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2011-09-18 13:53:51 -------- d-----w- c:\program files\AMD
2011-09-18 13:53:18 13832 ----a-w- c:\windows\system32\drivers\AsrAppCharger.sys
2011-09-18 13:53:18 -------- d-----w- c:\program files\ASRock Utility
2011-09-18 13:49:35 -------- d-----w- c:\documents and settings\ben\local settings\application data\Apple
2011-09-18 13:49:25 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-09-18 13:49:25 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-09-18 13:48:57 -------- d-----w- c:\program files\Bonjour
2011-09-18 13:48:29 -------- d-----w- c:\documents and settings\ben\local settings\application data\Apple Computer
2011-09-18 13:47:45 -------- d-----w- c:\windows\OPTIONS
2011-09-18 06:08:42 -------- d-----w- c:\program files\Intel Desktop Board
2011-09-18 06:06:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-18 06:06:15 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-18 06:06:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-18 06:02:00 -------- d-----w- C:\Intel
2011-09-18 05:54:57 -------- d-----w- c:\program files\ATI Technologies
2011-09-18 05:54:48 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-09-18 05:54:48 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-09-18 05:54:48 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-09-18 05:54:48 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-09-18 05:54:48 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-09-18 05:54:48 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-09-18 05:54:48 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-09-18 05:53:21 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-09-18 05:53:21 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-09-18 05:53:21 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-09-18 05:53:21 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-09-18 05:53:21 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-09-18 05:52:10 49152 ----a-w- c:\windows\system32\ChCfg.exe
2011-09-18 05:52:02 3624832 ----a-w- c:\windows\system32\drivers\RtHDMI.sys
2011-09-18 05:52:02 1191936 ----a-w- c:\windows\RtkUpd.exe
2011-09-18 05:52:02 -------- d-----w- c:\program files\Realtek
2011-09-18 05:51:56 1698408 ----a-w- c:\windows\RtlExUpd.dll
2011-09-18 05:51:55 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
2011-09-18 05:51:55 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
2011-09-18 05:51:55 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
2011-09-18 05:51:55 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-09-18 05:51:55 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
2011-09-18 05:51:55 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
2011-09-18 05:51:54 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
2011-09-18 05:51:54 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
2011-09-18 05:48:53 -------- d-sh--w- c:\documents and settings\ben\IECompatCache
2011-09-18 05:48:36 -------- d-sh--w- c:\documents and settings\ben\PrivacIE
2011-09-18 05:47:48 -------- d-----w- c:\documents and settings\ben\application data\AVG2012
2011-09-18 05:47:00 -------- d-----w- c:\windows\system32\drivers\AVG
2011-09-18 05:47:00 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-09-18 05:46:44 -------- d-----w- c:\program files\AVG
2011-09-18 05:45:02 6272 -c--a-w- c:\windows\system32\dllcache\splitter.sys
2011-09-18 05:45:02 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-09-18 05:45:01 83072 -c--a-w- c:\windows\system32\dllcache\wdmaud.sys
2011-09-18 05:45:01 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2011-09-18 05:45:00 52864 -c--a-w- c:\windows\system32\dllcache\dmusic.sys
2011-09-18 05:45:00 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2011-09-18 05:31:30 -------- d-----w- c:\windows\system32\scripting
2011-09-18 05:31:30 -------- d-----w- c:\windows\l2schemas
2011-09-18 05:31:29 -------- d-----w- c:\windows\system32\en
2011-09-18 05:31:29 -------- d-----w- c:\windows\system32\bits
2011-09-18 05:29:02 -------- d-----w- c:\windows\network diagnostic
2011-09-18 05:28:02 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-09-18 05:14:41 -------- d-sh--w- c:\documents and settings\ben\IETldCache
2011-09-18 04:47:11 -------- d-----w- c:\documents and settings\ben\application data\Trillian
2011-09-18 04:27:32 -------- d-----w- c:\windows\Downloaded Installations
2011-09-18 04:21:04 -------- d-----w- c:\windows\ie8updates
2011-09-18 04:20:47 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-09-18 04:20:45 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-09-18 04:20:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-09-18 04:20:45 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-09-18 04:20:45 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-09-18 04:20:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-09-18 04:20:43 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-09-18 04:18:22 -------- dc-h--w- c:\windows\ie8
2011-09-18 04:09:52 -------- d-----w- c:\windows\ServicePackFiles
2011-09-18 04:02:27 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2011-09-18 03:57:51 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-09-18 03:57:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-18 03:54:01 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-09-18 03:50:57 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-09-18 03:48:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-09-18 03:48:20 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-09-18 03:43:52 0 ----a-w- c:\windows\ativpsrm.bin
2011-09-18 03:41:18 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2011-09-18 03:41:18 505816 ----a-w- c:\program files\mozilla firefox\sqlite3.dll
2011-09-18 03:41:18 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-09-18 03:41:18 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-09-18 03:41:18 1000920 ----a-w- c:\program files\mozilla firefox\js3250.dll
2011-09-18 03:38:46 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-09-18 03:38:46 -------- d-----w- c:\windows\system32\PreInstall
2011-09-18 03:38:45 -------- d--h--w- c:\windows\$hf_mig$
2011-09-18 03:36:25 -------- d-s---w- c:\documents and settings\ben\UserData
2011-09-18 03:35:45 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-09-18 03:35:29 -------- d-----w- c:\windows\system32\LogFiles
2011-09-17 17:29:13 -------- d-----w- C:\Netgear
2011-09-17 17:10:07 -------- d-s---w- c:\windows\system32\Microsoft
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-28 22:49:12 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-07-28 22:48:54 43520 ----a-w- c:\windows\system32\OpenCL.dll
2011-07-28 22:48:36 13555712 ----a-w- c:\windows\system32\amdocl.dll
2011-07-28 22:20:10 7084544 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-07-28 22:17:42 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-07-28 21:34:58 3973696 ----a-w- c:\windows\system32\ati3duag.dll
2011-07-28 21:32:10 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-28 21:31:06 303104 ----a-w- c:\windows\system32\ati2dvag.dll
2011-07-28 21:15:32 3166208 ----a-w- c:\windows\system32\ativvaxx.dll
2011-07-28 21:14:02 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-28 21:13:50 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-28 21:13:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-07-28 21:13:34 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-28 21:13:20 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-07-28 21:12:06 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-07-28 21:10:48 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-07-28 21:05:36 704512 ----a-w- c:\windows\system32\atikvmag.dll
2011-07-28 21:01:08 208896 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-28 21:00:46 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-07-28 20:59:14 507904 ----a-w- c:\windows\system32\atiok3x2.dll
2011-07-28 20:55:02 876544 ----a-w- c:\windows\system32\ati2cqag.dll
2011-07-28 20:53:52 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-28 20:53:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 16:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-11 06:14:38 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-07-11 06:14:30 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-07-11 06:14:28 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2011-07-11 06:14:28 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-07-11 06:14:26 134608 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-07-11 06:13:46 229840 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-07-11 06:13:42 32464 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 9:20:03.73 ===============

ken545
2011-09-20, 19:34
Looks good my friend :bigthumb:


How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

EastPoint
2011-09-21, 03:25
Thank you for your assistance. I greatly appreciate the help.

ken545
2011-09-21, 10:59
Your very welcome,

Take care,

Ken :)